The introduction of the obligation to report data leaks and a substantial expansion of the supervisory authority’s power to impose fines, have resulted in more and more organizations being aware of the laws and regulations in the field of personal data protection. Many organizations therefore now know that they are legally obliged to enter into a data processing agreement if they have personal data processed by another party.
In this document, attention will be paid to, among other things, the concept of ‘processing’ and the subjects that must be included in a data processing agreement. The differences between the Dutch Personal Data Protection Act (‘Wbp’) and the General Data Protection Regulations (‘GDPR’), which will apply from 25 May 2018, will also be indicated.
Terminology
A data controller is an organization or person who, alone or together with others, determines the purpose and means of processing personal data. A processor is the party that processes personal data on behalf of the controller.
In the following, we will refer to the controller, processor and data processing agreement.
Processing
Many organizations outsource certain parts of their business operations. These include payroll administration, sick leave systems, customer service or ICT. Organizations that (partly) take care of this part of the operations of the data controller are generally processors within the meaning of the GDPR and Wbp.
Processing has a very broad definition. This is the case, for example, when personal data are stored or requested, but also when personal data are collected, modified, consulted, protected or deleted. And in the case of processing by a processor, the parties are legally obliged to conclude a written data processing agreement.
Subjects of the data processing agreement
In a data processing agreement, the parties agree on the processing of personal data. Under the Wbp, organizations are only obliged to include three subjects in the data processing agreement, namely that:
- personal data may be processed only on the instructions of the controller;
- the processor complies with the security obligations incumbent on the controller under the WBP; and
- the processor complies with the controller’s obligations in the event of a data breach.
The GDPR describes in much more detail what should be included in the data processing agreement and also identifies many more subjects. Many of these issues are likely to be included in your current data processing agreement, but are not expected to be fully in line with the text of the GDPR. We therefore advise you to take another critical look at whether the following has been included in your current data processing agreement:
In the first place, a processor’s agreement should stipulate that personal data may only be processed by the processor on the basis of written instructions from the controller.
These written instructions will to a large extent be included in the processor’s agreement itself.
In addition, the processor shall ensure that the persons authorized to process personal data have undertaken to respect confidentiality.
In practice, the processor can fulfil this obligation by including a confidentiality clause in the employment contract or by having his employees sign a separate confidentiality agreement. This is not necessary if persons are already bound to confidentiality on the basis of a legal obligation (such as doctors).
Thirdly, the data processing agreement should provide that the processor takes sufficient appropriate technical and organizational security measures.
In assessing which security measures are appropriate, account should be taken, inter alia, of the state of the art, the cost of implementation, the nature, extent, context and the processing purposes. This means, for example, that stricter security measures will have to be implemented as personal data or special personal data relating to many individuals are processed.
The data processing agreement should also specify that a processor may not employ a sub-processor without the prior written consent of the controller and that a sub-processor will be subject to the same obligations for the processing of personal data as those applicable to the processor.
- Requests from data subjects
Fifthly, it should be laid down that the processor must assist the controller in fulfilling his duty to respond to requests from data subjects. This includes requests for access, correction, deletion and data portability.
The processor must also provide assistance to the controller when he wants to carry out a so-called Data Protection Impact Assessment or when a data leak has occurred that must be reported to the Data Authority and possibly to the data subjects. As such, this must also be provided for in the processing agreement.
Furthermore, the data processing agreement should provide that the processor, at the choice of the controller, deletes or returns all personal data and deletes existing copies at the end of the processing services.
Finally, the processor must make available to the controller all the information necessary to demonstrate compliance with his obligations under the GDPR. The processing agreement must also state that the processor must enable and contribute to audits, including inspections, by a controller (authorized controller).
We are very curious as to how major (cloud) suppliers will respond to this audit obligation. After all, for large companies such as Google and Amazon, it will be an unworkable situation if they have to cooperate in audits every now and then. Practice will have to prove this.