Data Processing Agreement: GDPR, Templates and Use Cases in the Netherlands

A data processing agreement (DPA) is a legal document that determines the rights and obligations of parties concerning the personal data that one party transfers to another one for processing.

Parties are called a Controller and a Service provider or a Processor respectively. A controller is a physical or legal person that establishes the purpose and means of processing personal data, while a processor is an organization that possesses the means to process the data.

Companies usually involve third parties to store, analyze, or communicate the personal information of their customers. Employees’ information for payroll can also be the case. So, before an external party will carry out the processing of personal data on behalf of the company, they conclude DPA.

A DPA is not a novelty in the data privacy policy. It replaced previous agreements with the implementation of the EU General Data Protection Regulation (GDPR) in 2018. In the Netherlands, the document called Bewerkersovereenkoms became Verwerkersovereenkomst under the GDPR.

The GDPR introduced a stricter approach to contracts with data processors. If your company collects the personal data of EU citizens and it comes out to third-party service providers, you must have a written DPA with all of them.

You have to put a detailed description of the purpose of the processing of personal data. A Controller normally gives instructions on how to process the data, and the way the data is processed is described as well.

If a Processor, in his turn, provides the trusted person's data to other parties, it should be mentioned. It’s also established in DPA that those parties are subject to the same obligations as the Processor. Still, a Controller may need to sign other DPAs with sub-processors.

The level of security measures must correspond to the depth of data provided. In fact, there are three types of personal data - just regular personal data, special personal data, and criminal personal data.

Small businesses usually deal with the first type of data. Still, be careful if you provide some service to a medical organization, for example, and process patient files. Data about a person’s health refers to special personal data, thus it requires a higher level of protection.

Along with a Controller, a Processor upholds the obligations concerning data subjects’ rights. In particular, under GDPR European citizens have the right to access personal data and rectify it if it’s inaccurate or incomplete.

Upon the termination of the services, personal data must be returned or destroyed. You should agree, for example, how to make certain that the data is deleted from each place it was stored in when it will be done given that some services have a delayed effect, and so on.

Two more paragraphs to be stated in the Processing agreement are about support in reporting any data breaches and liability and indemnifications with regard to fines from the Regulatory Authorities.

The common cases to create Data personal agreement are as follows:

Α full list of services usually provided to a Dutch company by third parties is actually wide starting with email clients and ending with website analytics software. The GDPR requires having DPAs with almost each of them.

Exceptions in the Netherlands are made only for using Nederlandse Spoorwegen (NS) and on-premise services. First, you don’t need to conclude DPA with a national train company so your employees come by train.

Secondly, you don’t need a DPA if your company uses on-premise services. Such software should be installed in your ICT environment and process all the personal data over there. However, an on-premise solution is inferior to cloud services among SMEs, to a large extent because of their high costs.

Thus, an average company relying on many third-party services in data processing needs many DPAs to be created. This eventually results in annoying paperwork, but otherwise, a business risks facing fines from Autoriteit Persoonsgegevens (AP).

Draft your Processing Agreements on the legally validated online templates. On Enty, you will find templates of a DPA and other common legal contracts. It takes 3-5 minutes to complete the online form and generate the document - then you’re ready to go!