Overview of PASERO's personal data handling

When visiting the website, PASERO-MI Ltd. collects Personal Data on its visitors and registered users. We don’t sell your Personal Data to anybody. Read this quick overview or go to the full privacy policy here:

Registration and billing

- To provision you the service
  • Personal data: name, email address, billing information
  • Third Parties used: Amazon Web Services, ProtonMail, online payment&accounting service provider, accountant
  • Retention: 8 years if required by law
  • find out more

Visitors and cookies

- For user experience & statistics
  • Personal data: IP, browser info, webpage usage information
  • Third Parties used: Amazon Web Services, Google Analytics
  • Retention: 90 days
  • find out more


- Personal data you might upload when using the service
  • Personal data: contract signatories and contacts, name and email address of users, e-mail address of your customers, free text within comments and descriptions
  • Third Parties used: Amazon Web Services
  • Retention: until you have an account
  • find out more

Rights and questions

  • Rights regarding Personal Data for Registered users
  • find out more

PASERO contact information

- if you have any questions
  • PASERO-MI Ltd.
  • H-1221 Budapest, Ady Endre ut 87, Hungary
  • privacy@pasero.me
  • find out more

How to manage your data processors and what is the meaning of DPA?

(Updated with information on VCDPA on 19th March, 2021)

For a long time experts have warned about supply chain and supplier risk. Vendor and 3rd party management practices, which previously were seen as elements of a mature security governance program, have become standard elements of new data protection law. But are organizations actually aware of the newly introduced requirements? We summarize the relevant regulations and requirements to look out for.

One concept, multiple names

The four regulations we are going to look at, all contain the concept of a written agreement with the suppliers you share personal data with. But the actual terms to name the parties and the agreement are different.

Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR)

The most widely known terms relating to data protection - which we are going to use in this article - come from GDPR. Here, data controllers share personal data with data processors. This exchange of personal data needs to be governed by a contract, referred to as a data processing agreement or addendum (DPA). Additionally to the DPA, GDPR talks about technical and organizational measures (TOMs) which are either incorporated into the DPA or can form a separate document.

California Consumer Privacy Act of 2018 (CCPA)

CCPA defines service providers to be entities that process personal information on behalf of a business for a specific business purpose. The sharing of personal information needs to happen pursuant to a written contract. Usually, this contract is similarly referred to as a DPA, but sometimes it is part of the service agreement or a service provider addendum.

Virginia Consumer Data Protection Act of 2021 (VCDPA)

A processor, according to the VCDPA, is a natural or legal entity processing personal data on behalf of a controller. The data processing of the processor shall be governed by a binding contract that contains clear instructions on the processing done on behalf of the controller.

Singapore's Personal Data Protection Act 2012, No. 26 of 2012 (PDPA)

Singapore enacted a comprehensive data protection law back in 2012 and has currently updated it. The PDPA uses the term data intermediary for cases where an organisation involves another organisation into the processing of personal data. Data intermediaries are exempt from some of the requirements of the PDPA in case their processing is pursuant to a contract. An additional guideline, the Guide on Data Protection Clauses for Agreements relating to the Processing of Personal Data (2016), contains Sample Data Protection Clauses (SDPC) to be included in the Service Agreement.

The essential requirements according to data protection law

While phrased differently by the individual laws we are analyzing here, the core requirements are very similar. They can hence be met by applying one generalized process across jurisdictions. Additionally to the core requirements called out in the law, there are guidance documents and best practices which will also determine how to shape your vendor management.

Comply with data protection regulation (GDPR Art.28(1), CCPA 1798.140(w)(2)(A)(ii), VCDPA 59.1-575.(C), PDPA SDPC 2.1)

Number one requirement of any data protection law is to guarantee that anyone receiving personal data under that law understands and follows it. While the specific responsibilities of a supplier might be lighter under the law, they still need to abide to a number of requirements and this needs to be called out in their DPA.

Follow instructions set out in agreement (GDPR Art.28(3)(a), CCPA 1798.140(v), VCDPA 59.1-575.(B), PDPA SDPC 2.2(a)):

Data processors are required to keep the received personal data confidential and only process it as needed or as it relates to providing the services of the agreement and as put in writing in the DPA. Sometimes, documented instructions are interpreted as the whole of functionality available through the supplier's configuration interface and which the user has set up. Only exception to this requirement are data processing activities that are required to meet the supplier's own legal obligations.

Technical and organizational measures to safeguard personal data (GDPR Art.28(1), CCPA 1798.140(v), VCDPA 59.1-575.(A)(2), PDPA SDPC 2.4):

New data protection regulations have increased the security requirements surrounding personal data. This includes requirements for technical protection, like circumstances where encryption is needed, as well as organizational measures, such as regular testing and incident response. While the CCPA does not specifically call out these requirements for suppliers, it does say that data processors become liable in case they don't follow instructions of the agreement, and hence the CCPA motivates businesses to introduce such requirements. Additionally, security breach requirements remain in force in California and also the new California Privacy Rights Act (CPRA Section 4) will introduce security clause requirements into the DPAs.

Retention (GDPR Art.28(3)(g), CCPA 1798.140(v), VCDPA 59.1-575.(B)(2), PDPA SDPC 2.7):

As a natural consequence of only being allowed to use personal data according to the instructions of the agreement, personal data needs to be deleted or returned at the end of the service period. As return of the data might result in a heavy process, most agreements already include the choice of deletion, but providing access and export capabilities during the service period are more and more looked for.

Subprocessing and supply chain requirements

As we've seen, suppliers need to adhere very strictly to the instructions set out in their DPAs to avoid being exposed to stricter data protection compliance requirements. This often includes the requirement for a supplier to disclose its own supply-chain list, and restrict any changes to this list without the acknowledgement of the data controller, i.e. the customer (GDPR Art.28(2), CPRA 1798.140(ag)(2)). It is also the supplier's obligation to ensure that all members of the supply-chain follow the same rules as set out between the supplier and its customer (GDPR Art.28(4),VCDPA 59.1-575.(B)(5), PDPA SDPC 2.4.2).

do you know the supply-chain

As including a new supplier in the supply-chain can be considered a change to the service, the DPA should contain clear instructions how such changes are communicated to customers, what action is expected from them (slient acknowledgment with possibility to object, active acknowledgement, consent, etc) and what obligations the supplier has in case a customer does not approve of the change. Now, as these requirements propagate down the supply-chain, we are starting to enter the area of 4th party management.

How does PASERO help meet data controller and processor responsibilities?

No matter whether you are a data controller or a data processor, above requirements mean that you'll have to maintain a number of DPAs. Preferably, these DPAs set out the same requirements across your business relations, but often you'll just have to accept the terms that are given to you. PASERO provides you three essential tools that help you stay on top of these DPAs:

  • Decrease time to compliance: With our database of top suppliers and instructions on how to get DPAs signed, you can quickly meet the requirements of a written agreement and will have all relevant information at one place when needed.
  • Automate supply-chain disclosure requirements: As soon as you select a supplier within PASERO, we can automatically generate you an HTML page to be included in your privacy policy, an RSS feed to be shared with your customers, and email notifications of the changes. In case all your customers accept the change, you are already done.
  • Get an overview of your DPA terms (coming): Unfortunately, it is rarely the case that all DPAs have the same terms for all topics. But PASERO can help you in making your business decisions by showing you a comparision of the key differences.

Get a demo!

Book a demo and let us show you, how we can take of the burden of managing your data processing agreements and help meet data protection regulatory compliance.

Book demo

pasero logo