A Data Processing Agreement contains written agreements on the processing of personal data by a Service provider or a Processor. Such agreements must be made before or when an external party carries out the processing of personal data within your organization.
This article will tell you more about the usefulness, necessity, and operation of the processing agreement.
Different roles in a processing agreement.
When drawing up a processing agreement, different roles must be taken into account. For example, there is a Controller and a Processor. According to the GDPR and UK-Data Protection Act, a Controller is a person or organization that determines the purpose and means of processing personal data. This often involves the party that calls in a third party to process the personal data.
In this case, that other party shall be called the Processor or (in the US and Canada) the Service Provider.
Examples of roles in a processing agreement
For example, a processing agreement can be drawn between an organization that outsources its payroll administration to an external party. In this case, the organization is the party that is responsible for the personal data. This means that the organization is the Data Controller. The external party (The payrolling company) will only use the data to update the payroll administration and is thus the Processor.
The content of the processing agreement.
Now that we know what roles can be returned within the processing agreement, we can look at the content of this agreement. A processing agreement often contains a detailed description of the purpose of the processing of personal data. In addition to collecting and providing personal data to an external party, how the data is processed is also described.
Other agreements that should be included in the processing agreement are aimed at maintaining the confidentiality of the parties involved, the security measures taken, the duration of the processing, and agreements on liability in the event of the loss of personal data.
Guidelines for the storage and destruction of data
Once the processing agreement has been terminated, the data must be returned or destroyed. It is important to draw up guidelines for this and to lay them down in the processing agreement. Who will ensure that the data is deleted? When is this going to happen? How is the stored data destroyed? And so on. Because the data is shared with a third party, it will be stored in different places. It is important to map this out to remove the data from the processing contract everywhere after the targets have been achieved.
Getting started on drawing up a processing agreement.
Now that it has become clear how you can draw up a processing agreement, you can start working on one yourself. Identify which parties receive personal data through your organization to conclude a processing agreement with each of them. It is also important to examine whether you may be acting as a processor for other parties yourself.
A legally validated Processing Agreement is easily drafted with the Premium version of the Complianz plugin. In just a few minutes, the wizard helps you through the necessary steps and questions to compose the agreement. Read more about the features of Complianz Premium.