While the EDPB did issue a guide on technical and organizational measures to help companies make international data transfers compliant, at first look these measures look inpractical. A ruling in France in relation to the use of Amazon Web Services and Schrems II does provide hope.
A good data processor relationship can be mutually benefitial for many years. As the preparation and integration of the DPA into the main agreement has a significant impact on the future collaboration of the parties, it should not be treated as a checklist item.
Technical and organizational measures (TOM) for protecting personal data need to be part of the agreements that regulate data sharing. These documents are called TOMs and their content can vary significantly based on the maturity of the particular organization's security programs. But what are the most common areas?
Vendor and 3rd party management practices have become standard elements of the data protection requirements. We summarize the relevant regulations and requirements to look out for when drafting data processing agreements.