A data processing agreement is nothing new. Before the General data protection regulation (GDPR) went into force on May 25, there were already similar agreements in place. The main difference is that now, under the GDPR it is mandatory for companies to sign a data processing agreement. Who has to sign it? What should be included and why do you need one?
What is a data processing agreement?
A data processing agreement is a contract between two parties, containing the details of how data is processed, including its scope and purpose. Usually the agreements define what are the roles of the controller and the processor:
- The controller: is the organization which is responsible for processing the personal data.
- The processor: is the organization which is processing personal data on behalf of the controller.
Why do you need a data processing agreement?
Every organization that deals with personal data falls under GDPR. But what if you hand over these activities to a third party? Think of a payroll company for the salaries of you employees or a bookkeeping office for your administration. Even when you store your data in the cloud, you outsource the processing to the cloud provider.
When you outsource this work, you still want to comply with the agreements you have made with the data subject. In order to arrange for the third party to handle the personal data carefully, you sign a data processing agreement.
Is a data processing agreement mandatory?
A data processing agreement only applies when the controller processes personal data with a third party.
The data processing agreement must be in writing, this may also be done electronically. It is also possible to include this agreement in a partnership agreement, but it is more convenient to create a separate document for this.
You are obliged to be accountable for the personal data when requested by the Data Protection Authority, you can only share the data processing agreement.
Who sets up the data processing agreement?
The agreement can be drawn up by the processor or the controller. In some situations, it is easier if the controller drafts the agreement, and in some situations, it is easier if the processor drafts it.
For cloud providers, it is easier to set up a data processing agreement and send it to their customers. Cloud providers often have many customers, which makes it difficult to sign a separate data processing agreement for each customer.
As a smaller company, you could also consider standardizing a processing agreement to your customers as a service. Many companies are not aware that they need a data processing agreement.
How to request a data processing agreement with vBoxxCloud?
To request a data processing agreement, you need to have a paid vBoxxCloud account. You can then access the GDPR page and click on Data Processing Agreement. Alternatively, as a client send an email to firstname.lastname@example.org with your request and we will get back to you as soon as possible.