Accounting for SMEs
Take care of all accounting reports for your company
Hire contractors and employees
with ease
Annual accounting reports
Take care of overdue or one-time
reports with Enty
Issue, send, and manage invoices with no limits
Create contracts in a matter 
of minutes and e-sign them
Use dozens of ways to sign and
co-sign contracts
VAT-related tools
Take care of all VAT problems
with our tools
All you need in one subscription
starting from
/ mo
Useful articles and guides on
managing your company
Become an affiliate
Fruitful affiliate program with
bonuses for each party
Enty HUB
Explore our clients, partner with
them, and get discounts
Invite a friend
Recommend Enty to your friends
and receive bonuses
I’m super happy with Enty!
Months before we started a company, we’d already been in touch with our future Enty account manager. Support is super nice and responsive. Keep up the good work Enty!
Andreas Reuter
Useful business glossary to help you
Get special discounts from our
35+ top partners
Enty’s Gift card
Give away Enty to your partners
on any holiday

Data Processing Agreement: GDPR, Templates and Use Cases in the Netherlands

Oct 26, 2022 · 4 min read

Don't miss new articles and discounts. Subscribe to our newsletter!
As regular internet users, people do often handle data on automatic - consent cookies, submit the form [with contact info], etc. We’re so used to seeing it that we waste no single minute clicking on the button.

But as a businessman, you cannot act this way. Your customers and employees trust you with their data so that you cannot just give it to somebody else on the net. When companies use third-party services to process personal data, they must conclude Processing Agreements.

This article will explain how to be in line with EU data protection rules and not spend extra time on compliance issues.

What is a Data Processing Agreement

A data processing agreement (DPA) is a legal document that determines the rights and obligations of parties concerning the personal data that one party transfers to another one for processing.

Parties are called a Controller and a Service provider or a Processor respectively. A controller is a physical or legal person that establishes the purpose and means of processing personal data, while a processor is an organization that possesses the means to process the data.

Companies usually involve third parties to store, analyze, or communicate the personal information of their customers. Employees’ information for payroll can also be the case. So, before an external party will carry out the processing of personal data on behalf of the company, they conclude DPA.
A DPA is not a novelty in the data privacy policy. It replaced previous agreements with the implementation of the EU General Data Protection Regulation (GDPR) in 2018. In the Netherlands, the document called Bewerkersovereenkoms became Verwerkersovereenkomst under the GDPR.

The GDPR introduced a stricter approach to contracts with data processors. If your company collects the personal data of EU citizens and it comes out to third-party service providers, you must have a written DPA with all of them.

The main thing is that a DPA contains necessary provisions between a controller and a processor answering the following questions:

  • what personal data you will process

  • how and for what purposes you will process the personal data

You have to put a detailed description of the purpose of the processing of personal data. A Controller normally gives instructions on how to process the data, and the way the data is processed is described as well.

  • to which parties you may provide the personal data

If a Processor, in his turn, provides the trusted person's data to other parties, it should be mentioned. It’s also established in DPA that those parties are subject to the same obligations as the Processor. Still, a Controller may need to sign other DPAs with sub-processors.

  • what security measures you have taken or will take to protect the stored data

The level of security measures must correspond to the depth of data provided. In fact, there are three types of personal data - just regular personal data, special personal data, and criminal personal data.

Small businesses usually deal with the first type of data. Still, be careful if you provide some service to a medical organization, for example, and process patient files. Data about a person’s health refers to special personal data, thus it requires a higher level of protection.

  • how a Controller may carry out audits

  • how the data subject's rights are met

Along with a Controller, a Processor upholds the obligations concerning data subjects’ rights. In particular, under GDPR European citizens have the right to access personal data and rectify it if it’s inaccurate or incomplete.

  • when and how the data will be deleted

Upon the termination of the services, personal data must be returned or destroyed. You should agree, for example, how to make certain that the data is deleted from each place it was stored in when it will be done given that some services have a delayed effect, and so on.
Two more paragraphs to be stated in the Processing agreement are about support in reporting any data breaches and liability and indemnifications with regard to fines from the Regulatory Authorities.

When Is DPA Required

The common cases to create Data personal agreement are as follows:
Α full list of services usually provided to a Dutch company by third parties is actually wide starting with email clients and ending with website analytics software. The GDPR requires having DPAs with almost each of them.
Exceptions in the Netherlands are made only for using Nederlandse Spoorwegen (NS) and on-premise services. First, you don’t need to conclude DPA with a national train company so your employees come by train.

Secondly, you don’t need a DPA if your company uses on-premise services. Such software should be installed in your ICT environment and process all the personal data over there. However, an on-premise solution is inferior to cloud services among SMEs, to a large extent because of their high costs.

Thus, an average company relying on many third-party services in data processing needs many DPAs to be created. This eventually results in annoying paperwork, but otherwise, a business risks facing fines from Autoriteit Persoonsgegevens (AP).

Draft your Processing Agreements on the legally validated online templates. On Enty, you will find templates of a DPA and other common legal contracts. It takes 3-5 minutes to complete the online form and generate the document - then you’re ready to go!

Related Articles

Don't miss new articles and discounts. Subscribe to our newsletter!
We use cookies to provide the best website experience. Explore notice.
We use cookies to provide the best website experience. Explore notice.
ideal logo
14772172 Tornimäe tn 5, 10145, Tallinn, Harju maakond Register №16080939
Developed with ❤️ by Entytech OÜ and Digirepresent Services OÜ (license № FIU000382)
We accept
mastercard logo
visa logo
facebook button
instagram button
linkedin button
Contact Us
enty logo
© 2020-2024 Entytech OÜ All rights reserved