Location Amsterdam
Jollemanshof 12
1019 GW Amsterdam
Phone
020 663 1941
E-mail
info@ictrecht.nl
KvK
34216164
BTW
NL8223.30.040.B01
Location Groningen
Leonard Springerlaan 35
9727 KB Groningen
Phone
050 209 34 99
E-mail
info@ictrecht.nl
KvK
68038712
BTW
NL857275835.B01
Location Brussel
Avenue Louise 65
1000 Brussel
Phone
+32 (0)2 535 77 55.
E-mail
info@legalict.com
Ondernemingsnummer
0696.909.465
BTW
BE 0696.909.465
Back to home

The data processer’s agreement: what’s in a name?

We often remind companies of the importance of data processor’s agreements. Yet, still a large number of companies remain unfamiliar with the topic or are unsure whether or not they actually need such an agreement. This is problematic, since the data processor’s agreement is legally required in the event personal data are processed by or on behalf of another party. Therefore, this blog post will shed light on the importance of the data processor’s agreement.

When you talk about personal data, data protection laws immediately come into play. These pieces of law determine not only what personal data is, but also how personal data should be handled and sum up a predefined number of purposes for which the data may be processed. The data processor’s agreement should also cover these areas.

For example, if you outsource your payroll administration, then in terms of the law you are deemed “controller” and the party to whom you outsource is the “processor”. In that case you as a controller are obliged to offer a data processer’s agreement, and should ensure that all the rules contained therein are observed and adhered to. However, this does not mean that the processor is not entitled to come forward with a data processor’s agreement himself. The controller remains first and foremost responsible and should also exercise due care to what is laid down in this agreement and whether or not that is sufficient to meet the requirements prescribed by law. On the other hand, if you have a party to install on premise software that will process personal data, then this does not automatically require a data processor’s agreement, at least to the extent that the software is not managed externally and remains within the company’s own IT environment.

When you let someone else process your personal data (in other words: the controller allows data to be processed by a processor), you should ensure that adequate security safeguards are in place. The level of protection should in this regard be proportionate to the sort of data processed. For example, processing taking place in the context of an electronic patient record requires a higher level of protection than processing in respect of a discount card from your local supermarket. It is also important to note that processing should only take place on behalf of the controller and in accordance with the rules contained in a data processer’s agreement. Therefore, as a processor you are not allowed to process the data at your own discretion, i.e. for purposes that have not been predefined or contravene the controller’s instructions. It is also the controller who must verify whether all this actually happens.

What should be included in a data processer’s agreement? The data processor’s agreement contains amongst other things the purposes for which the personal data may be processed, what security measures should be taken and where personal information is stored. Another crucial point that should not be left out is how parties deal with data breaches. It should be clear from the outset who is responsible and to whom those breaches should be reported.

Looking for a processer’s agreement? We are happy to announce that you can easily create your own via our legal document generators here. Should you wish to have your document reviewed or require customized work, don’t hesitate to contact us.

Philip van der Weijde

Legal advisor
Fillip works as legal advisor at ICTRecht and is part of the cloudteam, which mainly focuses on cloud computing. Philip advises customers about producing and reviewing various ICT-contracts. Next to this, he helps customers with negotiations about complex ICT-contracts. In this, he guides both the purchaser and the supplier

There are no comments yet

Leave a Reply

Your email address will not be published. Required fields are marked *

Your personal information will only be used to publish and process your response. Please read the privacy statement for more information