We often remind companies of the importance of data processor’s agreements. Yet, still a large number of companies remain unfamiliar with the topic or are unsure whether or not they actually need such an agreement. This is problematic, since the data processor’s agreement is legally required in the event personal data are processed by or on behalf of another party. Therefore, this blog post will shed light on the importance of the data processor’s agreement.
When you talk about personal data, data protection laws immediately come into play. These pieces of law determine not only what personal data is, but also how personal data should be handled and sum up a predefined number of purposes for which the data may be processed. The data processor’s agreement should also cover these areas.
For example, if you outsource your payroll administration, then in terms of the law you are deemed “controller” and the party to whom you outsource is the “processor”. In that case you as a controller are obliged to offer a data processer’s agreement, and should ensure that all the rules contained therein are observed and adhered to. However, this does not mean that the processor is not entitled to come forward with a data processor’s agreement himself. The controller remains first and foremost responsible and should also exercise due care to what is laid down in this agreement and whether or not that is sufficient to meet the requirements prescribed by law. On the other hand, if you have a party to install on premise software that will process personal data, then this does not automatically require a data processor’s agreement, at least to the extent that the software is not managed externally and remains within the company’s own IT environment.
When you let someone else process your personal data (in other words: the controller allows data to be processed by a processor), you should ensure that adequate security safeguards are in place. The level of protection should in this regard be proportionate to the sort of data processed. For example, processing taking place in the context of an electronic patient record requires a higher level of protection than processing in respect of a discount card from your local supermarket. It is also important to note that processing should only take place on behalf of the controller and in accordance with the rules contained in a data processer’s agreement. Therefore, as a processor you are not allowed to process the data at your own discretion, i.e. for purposes that have not been predefined or contravene the controller’s instructions. It is also the controller who must verify whether all this actually happens.
What should be included in a data processer’s agreement? The data processor’s agreement contains amongst other things the purposes for which the personal data may be processed, what security measures should be taken and where personal information is stored. Another crucial point that should not be left out is how parties deal with data breaches. It should be clear from the outset who is responsible and to whom those breaches should be reported.
Looking for a processer’s agreement? We are happy to announce that you can easily create your own via our legal document generators here. Should you wish to have your document reviewed or require customized work, don’t hesitate to contact us.