Since the introduction of the GDPR, various parties have been obliged to draw up a processing agreement. This agreement contains written agreements on the processing of personal data. Such agreements must be made, among other things, at the moment that the processing of personal data within your organization is carried out by an external or third party.
In this article, we will tell you more about the usefulness, necessity, and operation of the processing agreement. The importance of drawing up a processing agreement is demonstrated by the fact that the penalties for the absence of this agreement can amount to EUR 10 million. An alternative fine is 2% of an organization’s worldwide turnover.
Different roles in a processing agreement.
When drawing up a processing agreement, different roles must be taken into account. For example, there is a controller and a processor. By controller, we mean the person who determines the purpose and means of processing personal data. This often involves the party that calls in a third party to actually process these personal data.
In this case, the other party shall be the processor. You could define the processor as the person who processes personal data on behalf of a responsible organization or person.
Examples of roles in a processing agreement
For example, a processing agreement can be drawn up between an organization that outsources its payroll administration to an external party. In this case, the organization is the party that collects and transmits personal data. This means that the organization is the data controller. The external party will only use the data to update the payroll administration and is thus the processor.
The content of the processing agreement.
Now that we know what roles can be returned within the processing agreement, we can look at the content of this agreement. A processing agreement often contains a detailed description of the purpose of the processing of personal data. In addition to the purpose of collecting and providing personal data to a third party, the way in which the data are processed is also described.
Other agreements that should be included in the processing agreement are aimed at maintaining the confidentiality of the parties involved, the security measures that are taken, the duration of the processing, and agreements on liability in the event, for example, of the loss of personal data.
Guidelines for the storage and destruction of data
Once the processing agreement has been terminated, the data must be destroyed. It is important to draw up guidelines for this and to lay them down in the processing agreement. Who will ensure that the data is deleted? When is this going to happen? How is the stored data destroyed? And so on. Because the data is shared with a third party, it will be stored in different places. It is important to map this out, in order to be able to remove the data from the processing contract everywhere after the targets have been achieved.
Getting started on drawing up a processing agreement.
Now that it has become clear how you can draw up a processing agreement, you can start working yourself. Identify which parties receive personal data through your organization, in order to conclude a processing agreement with each of them. It is also important to examine whether you may be acting yourself as a processor for other parties. It may be advisable to call in the help of, for example, a lawyer from ICT Recht for this purpose. Lawyers can assess the relationships with other parties in order to determine whether the drafting of a processing agreement with the GDPR is necessary.