Data Processing Agreement for companies
If a personal data Controller disclose personal data to a personal data Processor, the parties must enter into a Data Processing Agreement. A Data Processing Agreement contains provisions on the Processor’s processing of personal data on behalf of the Controller.
Data Processing Agreement for companies
According to article 28 of the GDPR, all personal data controllers must enter into a data processing agreement with all personal data processors, with whom they share personal data. The agreement regulates the Processor’s processing of personal data on behalf of the Controller.
For example, a company can share personal data with an accounting consultant. Also with a business systems, cloud services and many other service providers. Such service providers thus act as personal data processors.
The purpose of a Data Processing Agreement
The purpose is to ensure that the Processor processes the personal data in accordance with the GDPR. The processing of the personal data may only take place in accordance with the Controllers instructions. And the instructions must be stated in the agreement.
The agreement means that both the Controller and the Processor undertake an obligation to comply with the GDPR during the processing. According to the GDPR, the agreement must be in writing in order to be valid.
Content of a Data Processing Agreement
The purpose of the processing
The Data Processing Agreement must contain information on how the Processor may process the personal data. The instructions vary depending on what the Processor is to do with the processing and why. For example, a Processor may be an accounting consultant, who receives personal data from the company. It may be for the purpose of managing the company’s accounting, for instance. It must then be clear that the personal data may only be processed for that purpose.
Instructions for processing
The agreement shall state that the Processor may only process the personal data in accordance with the instructions. The instructions shall be written in the agreement. And the processing must also follow the other rules within the GDPR.
The Processor shall also, at the request of the Controller, correct, delete or move personal data. And also assist the Controller to fulfill his or her obligations under the GDPR. For example, the Processor must enable the Controller to fulfill all legal obligations under the GDPR. This includes, among other things, information about incidents to the Privacy Protection Authority and registered persons.
The agreement must also include a confidentiality commitment. This means that the Processor and his staff must observe confidentiality regarding the processed personal data.
Technical and organizational security measures
The agreement shall state that the Processor shall implement systematic, organizational and technical measures. This has to be implemented, in order to ensure an appropriate level of security. Moreover, it shall be made taking into account the latest technology and costs in relation to the risk involved in the processing and the type of personal data to be protected.
The Processor may not respond directly to inquiries from data subjects regarding personal data. Nor disclose personal data to anyone else, without first informing the person responsible about this.
Obligations of the personal data controller
The agreement must also contain information about the Controller’s obligations. For example, it must be clear that the Controller is responsible for the accuracy of the personal data. It shall also be stated that the Controller has a legal basis for disclosing the personal data to the Processor. And that the Controller processes personal data in accordance with the GDPR.
It must be stated whether the Processor may hire other Sub-Processors or not. And for what purpose the Sub-processors are to be hired. For example, it may be for the Processor to be able to fulfill his contractual obligations to the Controller. The Controller has the right to refuse to a certain Sub-Processor and must give his approval before a Sub-Processor is hired by the Processor.
If a Sub-Processor is to be hired, there must be an obligation for the Processor to enter into a written agreement also with the Sub-Processors. The agreement shall ensure that the Processor assumes responsibilities and obligations that at least correspond to the Processor‘s obligations under the agreement between the Processor and the Controller.
Audit and review
The Controller has the right to carry out an audit and review of the Processor’s compliance with the terms of the Data Protection Agreement. This is necessary in order to verify that the Processor fulfills his obligations under the agreement. The Processor shall provide all information required to prove that the obligations under the agreement are complied with. And the Processor shall also participate in a possible audit and provide the Controller the assistance needed for the implementation of such inspection.
Personal data breaches
The agreement shall contain provisions on breaches. And it shall be clear that the Processor is obliged to report all personal data breaches to the Controller, without undue delay. A report must contain specific information about the breach. For example, where and how it occurred, consequences, which categories of personal data and how many data subjects are affected by the breach. Also, measures taken, etc. This is important, since the Controller must report the breach to the Supervisory Authority. It must be made within 72 hours, when it is required by the GDPR.
Processing of personal data after the termination of the agreement
The term of the agreement must be stated, as well as information about what is to happen to the personal data after the termination of the agreement. For example, that the Controller has the right to request that the personal data shall be returned, and that all copies shall be deleted. If the Processor needs to retain personal data after the contract period in accordance with applicable legislation, this may only be done with the same type of technical and organizational security measures as described in the contract.
News about GDPR and reviews from supervisory authorities
In addition to this information, you can also read our GDPR summary. And also about various news about the GDPR on this website. For example, audits carried out by Supervisory Authorities and sanction fees that they distribute. By learning from mistakes from others, it is possible to avoid making similar mistakes yourself. In addition, you can find information that is important and good to know as an entrepreneur as well as guides.
Summary of the GDPR for Companies, Entrepreneurs and Businesses
There is a lot of information about the GDPR that is important for companies, entrepreneurs and businesses to know about. We have therefore written a GDPR Summary and mention various key elements. Therefore, we are able to provide an overview of the GDPR, what it means and what companies must do to comply with the EU regulation.