Data processing agreement: GDPR and templates in the Netherlands
As regular internet users, people do often handle data on automatic - consent cookies, submit the form [with contact info], etc. We’re so used to seeing it that we waste no single minute clicking on the button.
But as a businessman, you cannot act this way. Your customers and employees trust you with their data so that you cannot just give it to somebody else on the net. When companies use third-party services to process personal data, they must conclude Processing Agreements.
This article will explain how to be in line with EU data protection rules and not spend extra time on compliance issues.
What is a Data Processing Agreement
A data processing agreement (DPA) is a legal document that determines the rights and obligations of parties concerning the personal data that one party transfers to another one for processing.
Parties are called a Controller and a Service provider or a Processor respectively. A controller is a physical or legal person that establishes the purpose and means of processing personal data, while a processor is an organization that possesses the means to process the data.
Companies usually involve third parties to store, analyze, or communicate the personal information of their customers. Employees’ information for payroll can also be the case. So, before an external party will carry out the processing of personal data on behalf of the company, they conclude DPA.
A DPA is not a novelty in the data privacy policy. It replaced previous agreements with the implementation of the EU General Data Protection Regulation (GDPR) in 2018. In the Netherlands, the document called Bewerkersovereenkoms became Verwerkersovereenkomst under the GDPR.
The GDPR introduced a stricter approach to contracts with data processors. If your company collects the personal data of EU citizens and it comes out to third-party service providers, you must have a written DPA with all of them.
The main thing is that a DPA contains necessary provisions between a controller and a processor answering the following questions:
what personal data you will process
how and for what purposes you will process the personal data
You have to put a detailed description of the purpose of the processing of personal data. A Controller normally gives instructions on how to process the data, and the way the data is processed is described as well.
to which parties you may provide the personal data
If a Processor, in his turn, provides the trusted person's data to other parties, it should be mentioned. It’s also established in DPA that those parties are subject to the same obligations as the Processor. Still, a Controller may need to sign other DPAs with sub-processors.
what security measures you have taken or will take to protect the stored data
The level of security measures must correspond to the depth of data provided. In fact, there are three types of personal data - just regular personal data, special personal data, and criminal personal data.
Small businesses usually deal with the first type of data. Still, be careful if you provide some service to a medical organization, for example, and process patient files. Data about a person’s health refers to special personal data, thus it requires a higher level of protection.
how a Controller may carry out audits
how the data subject's rights are met
Along with a Controller, a Processor upholds the obligations concerning data subjects’ rights. In particular, under GDPR European citizens have the right to access personal data and rectify it if it’s inaccurate or incomplete.
when and how the data will be deleted
Upon the termination of the services, personal data must be returned or destroyed. You should agree, for example, how to make certain that the data is deleted from each place it was stored in when it will be done given that some services have a delayed effect, and so on.
Two more paragraphs to be stated in the Processing agreement are about support in reporting any data breaches and liability and indemnifications with regard to fines from the Regulatory Authorities.
When Is DPA Required
The common cases to create Data personal agreement are as follows:
Α full list of services usually provided to a Dutch company by third parties is actually wide starting with email clients and ending with website analytics software. The GDPR requires having DPAs with almost each of them.
Exceptions in the Netherlands are made only for using Nederlandse Spoorwegen (NS) and on-premise services. First, you don’t need to conclude DPA with a national train company so your employees come by train.
Secondly, you don’t need a DPA if your company uses on-premise services. Such software should be installed in your ICT environment and process all the personal data over there. However, an on-premise solution is inferior to cloud services among SMEs, to a large extent because of their high costs.
Thus, an average company relying on many third-party services in data processing needs many DPAs to be created. This eventually results in annoying paperwork, but otherwise, a business risks facing fines from Autoriteit Persoonsgegevens (AP).
Draft your Processing Agreements on the legally validated online templates. On Enty, you will find templates of a DPA and other common legal contracts. It takes 3-5 minutes to complete the online form and generate the document - then you’re ready to go!
