We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.
Our privacy statement:
Below you can choose for which purposes you want to allow cookies on the website of De Clercq.
There is hardly any IT project imaginable where personal data is not processed. When personal data is processed, both the controller and the processor are required under Article 28 of the GDPR to draw up a data processing agreement. Compliance with this legal obligation is important, if only because the mere fact that no data processing agreement has been concluded can lead to a fine from the Data Protection Authority. When are you a 'controller' or 'processor' and what requirements are imposed on a data processing agreement?
When various parties are involved in the processing of personal data, the GDPR assumes a role distribution. One of the key concepts in this role distribution is the controller. This is the party that determines the purpose and means of the use of personal data. Another important concept is the processor. A processor processes personal data on behalf of the controller. An example of a processor is a payroll administration office. A SaaS service provider or hosting provider that processes personal data also qualifies (in principle) as a processor. (Joint responsibility can also occur, but for the sake of providing a clear and concise overview, we will leave this aside).
It is important that parties are aware of their role. The GDPR imposes various legal requirements on the fulfilment of these roles. In practice, however, it appears that it is not always easy to qualify the correct role. The risk that parties run in that case is that they take on too many or too few obligations. In the first case, they assume more responsibility (and ultimately more liability) than necessary. In the second case, they do not meet their legal obligations. In both cases, this is not without risk.
Concluding a data processing agreement between the controller and processor(s) is legally required. A widespread misunderstanding is that only the controller has the obligation to ensure a data processing agreement is in place. This is not correct. This legal obligation rests on both the controller and the processor. What agreements must now be included in a data processing agreement? The following matters must at least be arranged:
In addition, the agreement must:
Parties are free to arrange these matters in more detail. For example, parties can agree on specific conditions under which the processor may outsource its processing services to sub-processors. It is also common to include a list of security measures that are at least expected from the processor.
In addition to the provisions that must be included in a data processing agreement by law, it is advisable to include provisions on liability and indemnification. How do parties deal with a fine imposed by the Data Protection Authority in case of non-compliance with the GDPR? It is also advisable to make further (procedural) agreements about data breaches. How to act in the event of a data breach? To whom and how should a data breach be reported? What information must be shared in that case, etc.?
If you have any questions about successfully executing ICT projects, please contact Natascha van Duuren, Partner & Attorney at law IT, Privacy & Cybersecurity.
The content of this blog is part of 'ICT Projects: a practical guide', a collection of articles on successfully executing an ICT project. Click here to download the practical guide.
Would you like to receive a monthly overview of updates and blogs in your inbox? Click here to subscribe to the newsletter!
