WHY DO I NEED AN AGREEMENT?
If your organization cooperates with other organizations that process personal data on your behalf, you need a processing agreement. This is required by the GDPR.
The data processing agreement governs the relation between the controller (the party commissioning the processing) and the processor (the party performing the processing).
There are lots of different processors that you should consider: cloud storage providers, outsourced services (like HR or maintenance services), marketing platforms, web hosting, etc. If these service providers process personal data on your behalf, you need a contract. This contract identifies the relationship between the parties, clarifies roles, responsibilities and mutual obligations, and avoids problems in the future.
A data processing agreement can also be a part of a general service agreement.
WHEN ARE DATA PROCESSED ON MY BEHALF?
Defining the relationship between organizations in terms of the GDPR can often be difficult. Generally, a controller is an organization that decides on the purposes and means of processing, and gains benefit from it. Therefore, the controller is ultimately responsible.
Processors only act on the instruction of controllers. If you use an electronic marketing platform to send newsletters to subscribers, you are the controller and the marketing platform is the processor.
Most of the bigger cloud IT providers have published data processor agreements on their websites, Like Microsoft, Google, Amazon, Succesfactors, Workday and Salesforce. But also Mailchimp, Klaviyo and Shopify published a data processor agreement. Only customers with significant revenue can have their own data processor agreement with these parties. Smaller companies often have no other choice than to accept the bigger party’s agreement. But that doesn’t mean you have to like it or lump on it. You can decide which personal data you process on which platform and which functions to use or not.
Some of these functions are provided by partners of these service providers. If you use this service on top of the main platform, you have to have a processor agreement with this partner as well.
WHAT SHOULD BE IN THE PROCESSING AGREEMENT?
The GDPR lists what must at least be covered by the data processing agreement. This includes:
- The type, duration, nature and purpose of processing is described, as well as the types of personal data and data subjects.
- The processor must implement appropriate technical and organizational security measures.
- The processor may only process personal data on documented instruction from the controller.
- Sub-contracting by the processor requires written authorization of the controller. The sub-processor must be held to the same obligations as the main processor and liability is with the main processor.
- Persons processing personal data must be committed to confidentiality.
- The processor is required to assist the controller with data subject request. This includes assistance with security measures and the handling of these requests.
- The same assistance is required for data breach notifications to authorities or data subjects, and for data protection impact assessments (DPIAs).
- The processor must delete or return all personal data after the end of the processing relation.
- The processor must provide evidence of compliance with the GDPR and the processing agreement, and must allow audits by the controller. The processor immediately informs the controller if it suspects an instruction does not comply with the GDPR.
HOW TO DRAFT THE AGREEMENT?
Drafting legally binding agreements is usually done by lawyers or other legal experts. This minimizes risks of non-compliance and liability. Since the ramifications of a bad contract can be big and may include governmental fines and penalties, we advise to be very careful.
The European Commission and some national data protection authorities have authorized standard contractual clauses that may be used. When using these, it is advisable to assess if they meet the specific demands of your data processing relation. Outside counsel may be required for this.
A good data processing agreement is in your own interest. It safeguards you from undesirable effects of using external partners for processing of personal data of your website visitors, customers, partners and employees.
Your first question is free of charge.
5349 AB Oss, The Netherlands
PO Box 228
5340 AE Oss, The Netherlands
Office: +31 (0)88 8483 100