Processing agreement

Do you use the services of a processor? Then you and the processor are obliged to record a number of subjects in a written agreement. This is called a processing agreement.

On this page

Mandatory processing agreement
 

The General Data Protection Regulation (GDPR) stipulates that both controllers and processors have a processing agreement in place (Article 28, paragraph 3 of the GDPR). Both parties are therefore liable if such agreement is missing.

As a controller, you are in breach of the GDPR if you cooperate with a processor but did not make any written arrangements with regard to this cooperation. You are then unable to demonstrate that you have implemented sufficient safeguards to ensure that the processor protects the personal data in accordance with the rules from the GDPR.

As a processor, too, you are obliged to have a processing agreement. Without this, you are unable to rely on the legal basis of the controller. You do not have any right to process those personal data then.

Initiative for processing agreement

In practice, the controller often takes the initiative for drawing up a processing agreement. After all, this party also takes the initiative for outsourcing a processing. But the other way round is also possible.

As a controller, you remain responsible for the processing at all times, even if the processing agreement was drawn up by the processor.

Contents of the processing agreement

You record the following subjects in the processing agreement:

  • General description. A description of the subject, the duration, the nature and the purpose of processing, the type of personal data, the categories of data subjects, and your rights and obligations as the controller.
  • Instructions for processing. In principle, processing takes place on the basis of your written instructions. The processor is not permitted to use the personal data for purposes of its own.
  • Duty of confidentiality. Persons employed by or working for the processor have a duty of confidentiality.
  • Security. The processor takes appropriate technical and organisational measures to secure the processing. For example, pseudonymisation and encryption of personal data, permanent information security, restoration of availability of and access to data in the case of incidents, regular security tests.
  • Subprocessors. The processor does not engage any subprocessor(s) without prior written permission from you. In a subprocessing agreement, the processor imposes the same obligations on a subprocessor as the obligations that the processor has to you.
    In the agreement, you can also directly agree that the processor is permitted to engage subprocessors and on which conditions. Does the subprocessor fail to meet the obligations? The processor will remain fully liable to you for meeting the obligations of the subprocessor (Article 28, paragraph 4 of the GDPR).
  • Privacy rights. The processor helps you meet your obligations if data subjects exercise their privacy rights (such as the right of access, the right to rectification, removal and data portability).
  • Other obligations. The processor helps you meet other obligations as well, such as reporting data breaches and carrying out a data protection impact assessment (DPIA) as well as prior consultation.
  • Removing data. After the processing services, the processor removes the data. Or the processor returns the data to you, if you want it. The processor also removes any copies. Unless the processor is obliged by law to retain the data.
  • Audits. The processor cooperates in your audits or the audits performed by a third party and provides all relevant information that enables the auditor(s) to check if the processor complies with the above-mentioned obligations (Article 28 GDPR).

 

Points of attention for a processing agreement


Are you drawing up a processing agreement? Then it is advisable to pay attention to a number of points. You are not allowed to include arrangements in the processing agreement that are contrary to the GDPR. If you do so, or if you agree to arrangements that are contrary to the GDPR, you may be in breach of the GDPR. The GDPR takes precedence over the processing agreement.

Under the GDPR, the organisation that actually determines the purpose and means of processing is the controller. Regardless of what the processing agreement says. When assessing a processing, the Dutch Data Protection Authority always looks at the factual situation.

Does the processing agreement say, for example, that the other party is the controller, but do you determine for what purpose the personal data are processed and how this is done? Then you are the controller for those processing operations. Regardless of what the agreement says. The factual situation is the guiding principle.

Obviously, you cannot force an organisation to sign an agreement. Are you unable to make agreements on the contents together? Then you can choose not to proceed with the cooperation. If you choose to proceed with the cooperation but do not have a processing agreement, you are both in breach of the GDPR.

Example of a processing agreement


Is your organisation affiliated with a sector association? Then that sector association may offer an example of a processing agreement. You can also find many examples online. Always make sure, though, that you translate the agreement to your specific situation. And compare the agreement with the requirements of the GDPR.

Standard contractual clauses
The European Commission has drawn up standard contractual clauses for inclusion in a processing agreement. You can include these standard contractual clauses in your processing agreements for personal data transfers within the EEA. For more information, see: Standard contractual clauses for controllers and processors in the EU/EEA on the website of the European Commission.

Quick answers

For organisations

1 question and answer

Do I, as a logistics service provider, have to conclude processing agreements with my clients?

No. You are not a processor, even if you work for a client as a logistics service provider.

You are the controller for the processing of personal data that are necessary for your services. Such as names, addresses, postcodes, places of residence and telephone numbers and email addresses for track & trace delivery.