From May 25 2018 any business in the European union or EEA that processes personal data has to comply with the GDPR. With the GDPR come changes that also affect the data processing agreement. But what exactly are these changes to the processing agreement? And how do they affect existing agreements with your suppliers?
Data processing agreement
A data processing agreement (DPA) establishes how a processor is to handle personal data. It is an agreement between the controller of the personal data and the party processing the personal data for them. Cloud service providers are generally data processors.
In a data processing agreement, things such as the purpose of the data processing are recorded. The DPA also includes the kind of personal data that will be processed. When a processor processes personal data for a controller, the person legally responsible, a data processing agreement between both parties is mandatory.
The controller determines the purpose and means of the data processing. When your business processes employees’ personal data, a salary slip is a good example. The business is then responsible for this data.
The processor works with the personal data on behalf of the controller. For example the payroll office that pays out the salaries for your company.
The controller and the processor have to make agreements about the processing, because both parties are obliged to have such an agreement as part of their documentation. The data processing agreement is free of format, to make it possible for you to include it in your own General Terms and Conditions. Do make sure that your General Terms and Conditions are applicable and binding. Most of the time a separate agreement is drawn up to have all the provisions grouped together.
Data processing agreement contents
A data processing agreement has to state which data processes it concerns. Is also has to include which parties are involved in the processing of certain personal data. It is advisable include in the data processing agreement who is responsible for reporting any data breaches. Wonder what else that should be in a data processing agreement? Or if your processing agreement is ready for the GDPR? What should definitely be in the processing agreement is in this checklist:
- The subject of the data processing
- The purpose of the data processing
- Who the data belong to (e.g. clients or employees)
- The security measures taken
- What happens with the data, once the agreement ends. Is it deleted? Within what period of time?
- It is possible to arrange future audits to review compliance with the agreement.
Processing personal data happens all the time. An external helpdesk being able to consult the data, is considered processing. When you have already concluded a data processing agreement with your suppliers, chances are that many of the requirements have already been met.
Teaming up with Cloud1 means you can rest assured knowing you are using a fully GDPR-compliant cloud service. If you have any questions about the GDPR? Contact the Cloud1 team for more information.