Content and form of the service provision contract

The contract that regulates the relationship between the person responsible for the file and the person in charge of the treatment must be in writing , or in some other way that allows proof of its conclusion.

It should contain the following:

1.            The way to treat the data : the person in charge of the treatment, solely and exclusively, may process the personal data provided by the person responsible for the file in accordance with the instructions specified in the contract for the provision of services.

2.            The purpose of the treatment : the person in charge of the treatment may not apply or use the personal data provided for any purpose other than that contained in said contract.

3.            The prohibition of communicating the data : the person in charge of the treatment will not transfer, or communicate to third parties, not even for their conservation, the personal data to which they have access during the provision of the service.

4.            The security measures that the person in charge of the treatment will be obliged to implement.

5.            The destruction or return , by the party in charge of the treatment, of all the supports and documents that contain personal data, once the provision has been completed. When there is a legal obligation that requires it, the person responsible for the file may authorize the person in charge of the treatment to keep, duly blocked, the data as long as responsibilities may arise from their relationship with him.

6.            The consequences for the person in charge of the treatment in case of breach of the contract : in case the data is used for another purpose, communicates or uses them in breach of the stipulations of the contract, it will also be considered responsible for the treatment, responding to the infractions in that he would have incurred personally. In addition, and if appropriate, the contract must reflect the assumption that the person in charge of the treatment collects personal data as a result of the fulfillment of the object of the contract, in which case, it will always do so on behalf of the person responsible for the file, informing those affected of in accordance with the provisions of article 5 of the LOPD and requesting your consent in the cases and conditions established by the Organic Law.

Types of service provision

The RLOPD, in its articles 82 and 83 , establishes various situations that may arise when contracting the provision of a service.

They are as follows:

1.            That access to the data is necessary for the provision of the service: then, the provider must be considered in charge of treatment and will be subject to the provisions of the LOPD (Article 12 of the LOPD and 82 of the RLOPD).

2.            That access to the data is not necessary for the provision of the service: therefore, the provider will not be considered a data controller, but it will be necessary to regulate their situation (Article 83 of the RLOPD).

Provision of services with access to data

Nowadays, companies often contract the performance of services on behalf of third parties , as is the case with the preparation and management of payroll, the maintenance of computer equipment, the control of physical access to the facilities, etc. In all these cases, the company that provides these services will be considered the data controller.

Within this type of provision, article 82 of the RLOPD establishes various assumptions when providing the service:

1.            That the service is provided at the premises of the file manager in person , so it will not be necessary for personal data to be transmitted outside of said premises. In this case, and as established in article 82.1 of the RLOPD , the following must be taken into account:

1.            In the security document of the person in charge of the file, said face-to-face access to personal data by outsiders must be recorded.

2.            The personnel in charge of the treatment must undertake to comply with the security measures provided for in said security document (preferably by signing a document in which they are informed of their obligations, which will be kept by the file manager).

3.            The implementation and control of security measures will be the responsibility of the person responsible for the file.

2.            That the service is provided at the premises of the file manager, but requires remote access to personal data by the person in charge of treatment or the personnel who perform the provision. In this case, two situations can occur:

1.            That remote access to personal data entails their incorporation into systems or media other than those of the person responsible for the file. In this case, the person responsible for the file will respond to the measures implemented in the remote access system and the person in charge of the treatment will respond to the measures implemented in the systems or supports other than those of the person in charge, respecting, in any case, the security measures arranged by the person responsible for the file for remote access.

2.            That the incorporation of personal data to systems other than those of the person responsible for the file is not necessary for the provision of the service, in which case, and in accordance with the second paragraph of article 82.1 of the RLOPD , the following must be taken into account:

1.            The data protection clause of the contract must contain the prohibition of incorporating personal data into systems other than those of the person responsible for the file.

2.            In the security document of the person in charge of the file, said remote access to personal data by external personnel must be collected.

3.            The personnel in charge of providing the service must undertake to comply with the security measures provided for in said security document (preferably by signing a document informing them of their obligations, which will be kept by the file manager) .

4.            As in case a), the implementation and control of security measures will be the responsibility of the person responsible for the file.

3.            That the service is provided in the own premises of the person in charge of the treatment , other than those of the person responsible for the file, in which case article 2 of the RLOPD would apply , which will mean that the person in charge of the treatment must prepare a security document in the required terms by the RLOPD or complete the one that has already been prepared, where appropriate, identifying the file or treatment object of the provision and the person responsible for it, and incorporating the security measures to be implemented on said treatment.

 

Popular posts from this blog

Government defense and security

Image
    Computers in government office speed up these tasks because they contain a lot of software, such as word processing software, PPTs, spreadsheets, and database administration programs. Computers are used by all government departments in their daily working life for different purposes such as booking tickets in railway services, recording cases in police stations, checking traffic lights, etc., to complete tasks quickly and efficiently. Government organizations depend on computer and Internet technologies to respond quickly to thousands of residents' requests. Computer and online systems allow different government authoritie to respond immediately to the various demands of businesses and other organizations. State department use computers to distribute salaries, grants, scholarships, health insurance to respective citizens of society. The government regularly hires IT administrators to maintain various types of records. These records are kept in large database, which...
Read more

COMPUTERS AND OUR LIVES: HOW HAVE COMPUTERS CHANGED OUR LIVES?

Image
   Computers and their uses have developed rapidly and widely throughout the world. They are used to dealing with many tasks due to their different potentials. It helps to solve the problems that human life encounters in daily life. Therefore, they have more influence in our life. The impact of computer use in our lives is obviously identified as saving money, time and effort. To understand the depth of computer intervention in human life, take a look at developments in communication, education, utility facilities, and healthcare. Computers and our lives: How have computers changed our lives? During the last 3 decades, the computer has been recognized as the most successful and successful invention to solve the problems of human life. Today, where businesses are run, you will find the application of computer use. Look at the education, health, transportation or communications sector, we can see the influence and application of the computer. It is difficult to survive a bus...
Read more

Benefits & Limitations of Laptops

Image
Users often ask whether they should choose a laptop or a desktop. The answer is, it really depends on IT practices and the day-to-day responsibilities of users. Laptop are more expensive, so we want to make sure that users who request a laptop make good use of it. For example, if you are someone who need to travel, whether on campus or traveling off campus, a laptop is a good option for you. For example, professors, vice-presidents, principals, or anyone who attends many meetings where they want to access their applications and files or take notes through their computer. In addition, coaches, admissions counselors, and development officers can make good use of a laptop. On the other hand, users who mostly perform their tasks at their desks and rarely travel would benefit more from a desktop with more resources and larger screens. Benefits: Unsurprisingly, the main advantage of a laptop is its portability. Those traveling for work or attending regular campus meetings can bring their...
Read more