The GDPR privacy law sets requirements that must at least be included in a processing agreement.
What is a processor agreement?
A processor agreement is an agreement that is concluded with a processor. A processor is an external supplier or service provider to which an organization outsources actions (legal expression: “processing”) with personal data. Examples of actions are saving, viewing, adjusting, deleting and forwarding.
In a processor agreement, the agreements are made on the actions with personal data that a processor may perform on behalf of a client (legal expression: “responsible person”).
What does the GDPR privacy law say about processing agreements?
The GDPR privacy law stipulates that only processors may be hired who can give sufficient guarantees that they have taken “appropriate technical and organizational measures” to ensure that the obligations under the privacy law are met, and also to ensure that the rights of the persons whose personal data are processed are guaranteed.
What should at least be stated in a processing agreement?
A processor agreement must at least include the following provisions:
- A description of the processing by the processor including the duration of the processing, the nature and purpose of the processing, the type of personal data being processed, and the categories of persons involved whose personal data are being processed.
- Requesting permission to outsource processing to sub-processors . If the processor outsources operations with the personal data to other processors (sub-processors), these are usually subcontractors of the processor, then the principal (responsible) must give specific or general prior permission for this. If general consent is given, the processor must report changes to sub-processors to the client and allow the client to object.
- Impose the same obligations on sub-processors . The processor must impose the same minimum obligations on hired sub-processors as the obligations that the client imposes on the processor.
- Only act on behalf of the client. The processor may only perform operations with the personal data on behalf of the client. That is, the processor may only perform those operations that are necessary to perform the services that the processor performs for the client. The processor may not independently determine what happens to the personal data.
- Take appropriate measures to protect personal data. Securing personal data is one of the most important tasks of the processor. The processor agreement must state that the processor is taking “appropriate technical and organizational measures” to protect the personal data. The Dutch Data Protection Authority stipulates that the security measures must also be described in the processing agreement.
- Ensuring confidentiality for employees. The processor must ensure that the persons who process the personal data under the control of the processor are obliged to maintain confidentiality with regard to this personal data, either through agreements with the client or on the basis of a professional duty of confidentiality.
- Providing assistance with various obligations. The processing agreement must state that the processor assists the client by means of “appropriate technical and organizational measures”, as far as possible, in answering requests from the persons whose data are involved, in securing the personal data, reporting data breaches, the performance of PIAs and (if necessary) prior consultation of the Dutch Data Protection Authority.
- Transfer or destroy personal data . At the end of the service provided by the processor, the processor must delete the personal data or return the personal data to the client and delete existing copies.
- Allow audits and provide information to the client. The processor must allow audits and provide information to the client so that he can check whether the processor complies with the obligations under the processor agreement.
