For the purpose of Data Protection laws, CAST is the Data Controller and digital partners act as Data Processor, unless otherwise agreed.
A data processor is a person, agency or other body which processes personal data on behalf of a data controller (e.g. an agency developing a piece of research for CAST). Processors act on behalf of a controller and under their authority.
Digital partners will be responsible for all the acts or omissions of any sub-data processor. For example, if a digital partner hires a sub-contractors to manage a database of information belonging to CAST, and the data is unlawfully shared by the subcontractor, then the digital partner will be responsible for any losses or litigation that result from it.
We already have a mutual NDA in place with our organisation that covers the items in the Data Sharing Agreement (DSA) and more. Do we still require to sign the DSA? Answer: We asked the digital partner to set up a DSA from the outset with their charities and provided a document as a template that could be edited
If you already have a NDA in place that safeguards data handling in line with GDPR, lists how data will be stored and managed and specifies roles in data ownership and processing, you will not require to also sign a DSA.
We work with a sub contractor, how does this impact on the DSA? Answer: Within our contract we state that Contractors should ensure sub contractors undertake the same conditions as set out in our agreements.
Which parties will be included in the DSA? Answer: The Data Sharing Agreement is between the agency and the charity/organisation – so it is the data being shared between these parties.