Please note! This will generate a English document. Please click here for the Dutch version.
Why do I need a data processing agreement?
When a company is hiring another party to process personal data on its behalf, you are legally required to make contractual arrangement on certain aspects of the processing. In the data processing agreement, the parties establish for what purposes personal data may be processed by the data processor (the party that is hired), which security meausures the processor should take, as well as how the data owner (the data controller) may monitor the processor.
Strictly speaking, the data processing agreement should be a separate document, such as an Annex to a purchase agremeent, but in practice it is often sufficient to include an article in another agremeent that includes provisions on the data processing.
You have a web shop and you store all customer data using cloud services from a hosting provider. In such case, you outsource the data processing to the hosting provider, who will be the data processor in this case. You are the data controller in this case: you determine the purposes for which the personal data are collected and used. In a data processing agreement with the hosting provider, you lay down arrangements for the processing of the personal data.
What does this data processing agreement cover?
The data processing agreement sets out the obligations of the processor and the processing activities that are allowed, as well as the way in which the data controller may monitor these.
A data processing agreement covers at least the following aspects:
- Purposes of the processing
- Obligations of the data processor
- Any transfer of personal data to third countries
- Guarantees from both parties about compliance with the law
- Security of personal data by the data processor
- Processor's obligation to notify data breaches to the data controller
- Handling of requests by data subjects (individuals whom the data relate to)
- Ownership of the personal data
- Indemnities for claims of data subjects and third parties (such as authorities)
- Duration, renewal and termination
- Changes of the dat processing agreement
This document has been drafted in accordance with the new privacy regulation: the General Data Protection Regulation, that came into effect on May 25, 2018.