If you outsource the processing of personal details to a third party, this party will become a “data processor” within the meaning of the Personal Data Protection Act. Pursuant to this Act, a party responsible for storing data must enter into an agreement with a data processor regarding the manner in which the data processor is allowed to process the personal details. We gladly help you draw up your data processor agreements.

Why enter into a data processor agreement?

Many parties who require the processing of personal data use external data-processing service providers. “Data processing” is a comprehensive concept which includes everything from inspecting and recording data to updating and destroying them. The party processing the data on behalf of the data controller is regarded the data processor within the meaning of the Personal Data Protection Act. Pursuant to this Act, the party responsible for the data must enter into a data processor agreement with their data processor(s).

It should be noted that data processor agreements are not just a legal requirement, but they are a very useful tool. For instance, they allow organisations to sort out liability issues and enter into arrangements on the security of data processed on the processor’s premises. These agreements should also stipulate how processors are to act following a data leak, which is of great importance as, pursuant to the Data Leak Reporting Duty Act, the party responsible for the data will also be held liable for any data leaks which may occur at the data processor’s premises.

General Data Protection Regulation

Pursuant to the General Data Protection Regulation, a supervisory authority may impose a fine of up to €10 million or 2% of a company’s annual revenue in the event that a company does not have any agreements in place between the organisation responsible for the data and the party processing the data. Therefore, organisations should start to prepare for the coming into effect of this new Regulation. If your organisation, which is responsible for its data, plans to hire a new processor for its data processing, or if your organisation is about to renegotiate an existing data processing agreement, we advise you to include the requirements of the General Data Protection Regulation in the agreement.
For more information, consult our Data Processor Agreement Factsheet.

Want to know more?

Nathalie Falot

Senior Legal Consultant

Iris Tasevski

Legal Consultant