Data Processing Agreement for companies

The purpose of the processing

The Data Processing Agreement must contain information on how the Processor may process the personal data. The instructions vary depending on what the Processor is to do with the processing and why. For example, a Processor may be an accounting consultant, who receives personal data from the company. It may be for the purpose of managing the company’s accounting, for instance. It must then be clear that the personal data may only be processed for that purpose.

Instructions for processing

The agreement shall state that the Processor may only process the personal data in accordance with the instructions. The instructions shall be written in the agreement. And the processing must also follow the other rules within the  GDPR.

Assistance

The Processor shall also, at the request of the Controller, correct, delete or move personal data. And  also assist the Controller to fulfill his or her obligations under the GDPR. For example, the Processor must enable the Controller to fulfill all legal obligations under the GDPR. This includes, among other things, information about incidents to the Privacy Protection Authority and registered persons.

Confidentiality provision

The agreement must also include a confidentiality commitment. This means that the Processor and his staff must observe confidentiality regarding the processed personal data.

Technical and organizational security measures

The agreement shall state that the Processor shall implement systematic, organizational and technical measures. This has to be implemented, in order to ensure an appropriate level of security. Moreover, it shall be made taking into account the latest technology and costs in relation to the risk involved in the processing and the type of personal data to be protected.

Professional secrecy

The Processor may not respond directly to inquiries from data subjects regarding personal data. Nor disclose personal data to anyone else, without first informing the person responsible about this.

Obligations of the personal data controller

The agreement must also contain information about the Controller’s obligations. For example, it must be clear that the Controller is responsible for the accuracy of the personal data. It shall also be stated that the Controller has a legal basis for disclosing the personal data to the Processor. And that the Controller processes personal data in accordance with the GDPR.

Sub-Processors

It must be stated whether the Processor may hire other Sub-Processors or not. And for what purpose the Sub-processors are to be hired. For example, it may be for the Processor to be able to fulfill his contractual obligations to the Controller. The Controller has the right to refuse to a certain Sub-Processor and must give his approval before a Sub-Processor is hired by the Processor. 

If a Sub-Processor is to be hired, there must be an obligation for the Processor to enter into a written agreement also with the Sub-Processors. The agreement shall ensure that the Processor assumes responsibilities and obligations that at least correspond to the Processor‘s obligations under the agreement between the Processor and the Controller.

Audit and review

The Controller has the right to carry out an audit and review of the Processor’s compliance with the terms of the Data Protection Agreement. This is necessary in order to verify that the Processor fulfills his obligations under the agreement. The Processor shall provide all information required to prove that the obligations under the agreement are complied with. And the Processor shall also participate in a possible audit and provide the Controller the assistance needed for the implementation of such inspection.

Personal data breaches

The agreement shall contain provisions on breaches. And it shall be clear that the Processor is obliged to report all personal data breaches to the Controller, without undue delay. A report must contain specific information about the breach. For example, where and how it occurred, consequences, which categories of personal data and how many data subjects are affected by the breach. Also, measures taken, etc. This is important, since the Controller must report the breach to the Supervisory Authority. It must be made within 72 hours, when it is required by the GDPR. 

Processing of personal data after the termination of the agreement

The term of the agreement must be stated, as well as information about what is to happen to the personal data after the termination of the agreement. For example, that the Controller has the right to request that the personal data shall be returned, and that all copies shall be deleted. If the Processor needs to retain personal data after the contract period in accordance with applicable legislation, this may only be done with the same type of technical and organizational security measures as described in the contract.