As Podnar alluded to above, Google announced this spring that it would consider publishers using its DoubleClick for Publishers (DFP) advertising service platform as “co-controllers” who must obtain their approval on its behalf. Publisher groups backed down and said that Google designated compliance charges, did not get the consent of all types, as it uses the data it collects on publisher visitors, and involves them in that responsibility. 188.8.131.52 the transfer of personal data from the company by a contract subcontractor to a subcontractor or between two branches of a commercial subcontractor, at least where such transmission would be prohibited by data protection legislation (or by the conditions of data transfer agreements put in place to impose restrictions on data protection); (C) The parties are working to implement a data processing agreement in line with the requirements of the current legal framework for data processing and the 2016/679 European Parliament and Council 27 April 2016 on the protection of individuals in the processing of personal data and the free movement of personal data and repealing Directive 95/46/EC (General Data Protection Regulation). This data processing agreement is adapted by the DPA De ProtonMail which is on this page. Organizations can use the following document as part of their compliance with the RGPD. What fascinates me is that organizations compete to be categorized as processors (through a controller), because processors are more exposed after the RGPD than before under data protection authorities (data protection authorities). I am thinking in particular of the implementation of instructions for the processing of those responsible for the processing of data (Article 29), the immediate notification of incidents or data breaches to the person responsible for the processing (Article 33) and the support to those responsible for processing in the execution of their DPIAs (Article 35, which does not require subcontractors to provide assistance, but is probably considered required by those responsible for the processing). I expect them to ensure that the obligations arising from self-protection and cooperation agreements are (rather narrow!) with those responsible for processing in order to ensure compliance with the RGPD. The RGPD itself recognizes that two entities can be joint co-controllers or controllers when they both make high-level decisions about the use of data.