Blog
Hire contractors and employees with ease
HR
Create contracts in
a matter of minutes
Contracts
Issue and send invoices with
no limits. Manage them with ease
Invoicing
Take care of all accounting reports for your company
Accounting for SMEs
VAT-Related Tools
Take care of all VAT
problems with our tools
Blog
Register your trademark with ease
Trademark Registration
Start your company
with ease on Enty
Register a Company
Take care of overdue or one-time reports with Enty
Accounting Reports
I liked the idea of cooperating with friends, young company and I decided to move forward with you.
And I'm totally satisfied, honestly. You were doing follow-ups and helping me with everything all the time.
Meet our customer!
Let’s grow together!
Become a Partner
Explore useful articles and guides on managing your company
Blog
Samantha Asensi
Useful business glossary to help you
Glossary
Recommend Enty to your friends and receive bonuses from Enty
Invite a Friend
Find out what our
clients are doing
Enty Hub
Rewards
Explore discounts and offers from Enty’s partners

Data Processing Agreement: GDPR, Templates and Use Cases in the Netherlands

Oct 26, 2022 · 4 min read

Don't miss new articles and offers. Subscribe to our newsletter!
As regular internet users, people do often handle data on automatic - consent cookies, submit the form [with contact info], etc. We’re so used to seeing it that we waste no single minute clicking on the button.

But as a businessman, you cannot act this way. Your customers and employees trust you with their data so that you cannot just give it to somebody else on the net. When companies use third-party services to process personal data, they must conclude Processing Agreements.

This article will explain how to be in line with EU data protection rules and not spend extra time on compliance issues.

What is a Data Processing Agreement

A data processing agreement (DPA) is a legal document that determines the rights and obligations of parties concerning the personal data that one party transfers to another one for processing.

Parties are called a Controller and a Service provider or a Processor respectively. A controller is a physical or legal person that establishes the purpose and means of processing personal data, while a processor is an organization that possesses the means to process the data.

Companies usually involve third parties to store, analyze, or communicate the personal information of their customers. Employees’ information for payroll can also be the case. So, before an external party will carry out the processing of personal data on behalf of the company, they conclude DPA.
A DPA is not a novelty in the data privacy policy. It replaced previous agreements with the implementation of the EU General Data Protection Regulation (GDPR) in 2018. In the Netherlands, the document called Bewerkersovereenkoms became Verwerkersovereenkomst under the GDPR.

The GDPR introduced a stricter approach to contracts with data processors. If your company collects the personal data of EU citizens and it comes out to third-party service providers, you must have a written DPA with all of them.

The main thing is that a DPA contains necessary provisions between a controller and a processor answering the following questions:

  • what personal data you will process

  • how and for what purposes you will process the personal data

You have to put a detailed description of the purpose of the processing of personal data. A Controller normally gives instructions on how to process the data, and the way the data is processed is described as well.

  • to which parties you may provide the personal data

If a Processor, in his turn, provides the trusted person's data to other parties, it should be mentioned. It’s also established in DPA that those parties are subject to the same obligations as the Processor. Still, a Controller may need to sign other DPAs with sub-processors.

  • what security measures you have taken or will take to protect the stored data

The level of security measures must correspond to the depth of data provided. In fact, there are three types of personal data - just regular personal data, special personal data, and criminal personal data.

Small businesses usually deal with the first type of data. Still, be careful if you provide some service to a medical organization, for example, and process patient files. Data about a person’s health refers to special personal data, thus it requires a higher level of protection.

  • how a Controller may carry out audits

  • how the data subject's rights are met

Along with a Controller, a Processor upholds the obligations concerning data subjects’ rights. In particular, under GDPR European citizens have the right to access personal data and rectify it if it’s inaccurate or incomplete.

  • when and how the data will be deleted

Upon the termination of the services, personal data must be returned or destroyed. You should agree, for example, how to make certain that the data is deleted from each place it was stored in when it will be done given that some services have a delayed effect, and so on.
Two more paragraphs to be stated in the Processing agreement are about support in reporting any data breaches and liability and indemnifications with regard to fines from the Regulatory Authorities.

When Is DPA Required

The common cases to create Data personal agreement are as follows:
Α full list of services usually provided to a Dutch company by third parties is actually wide starting with email clients and ending with website analytics software. The GDPR requires having DPAs with almost each of them.
Exceptions in the Netherlands are made only for using Nederlandse Spoorwegen (NS) and on-premise services. First, you don’t need to conclude DPA with a national train company so your employees come by train.

Secondly, you don’t need a DPA if your company uses on-premise services. Such software should be installed in your ICT environment and process all the personal data over there. However, an on-premise solution is inferior to cloud services among SMEs, to a large extent because of their high costs.

Thus, an average company relying on many third-party services in data processing needs many DPAs to be created. This eventually results in annoying paperwork, but otherwise, a business risks facing fines from Autoriteit Persoonsgegevens (AP).

Draft your Processing Agreements on the legally validated online templates. On Enty, you will find templates of a DPA and other common legal contracts. It takes 3-5 minutes to complete the online form and generate the document - then you’re ready to go!

Related Articles


Don't miss new articles and offers. Subscribe to our newsletter!
We use cookies to provide the best
website experience. Learn more.
Accept all cookies
We use cookies to provide the best website experience. Learn more.
Accept all cookies
Subscription
Netherlands
One-Time Services
© 2020-2022 Entytech OÜ All rights reserved
Extra
+372 5911 1088
Contact Us
Explore
We accept
Developed with ❤️ by Entytech OÜ and Digirepresent Services OÜ (license № FIU000382)
14772172 Tornimäe tn 5, 10145, Tallinn, Harju maakond Register №16080939