In In July we already informed you about the AVG which will be maintained from 25 May 2018. In the meantime you can hardly get around this AVG anymore. On many websites you can find information and step-by-step plans about the AVG how to comply with this. Although 2018 may seem far away, it is closer than you think. In order to prepare you further, we will tell you more about the "processor agreement" this time.
What is a processor agreement?
In the AVG a processor agreement is being discussed. You can sound familiar, as the Wbp (Personal Data Protection Act) called this one processor agreement. With the introduction of the European Privacy Regulation, the terms 'processor' and 'processor agreement' have been renamed to 'processor' and 'processor agreement'.
The processor agreement (or Data Processing Agreement (DPA)) contains terms that we will explain. These are the terms 'controller', 'data subject' and 'processor'.
What does a processor agreement mean?
The processor agreement is the agreement between the controller and the processor, which specifies how the processor must deal with the personal data. Example: a company (responsible) and a payroll administration office (processor) must enter into a written agreement with each other because the company keeps personal data of its employees for the payroll administration. The responsibility that this agreement is concluded lies with the responsible (in this example the company).
When is a processor agreement necessary?
If a controller has personal data processed by a processor, a processor agreement between the parties is always mandatory. This also applies if the processor is, for example, a subsidiary of the responsible company or is located abroad. Whenever a controller outsources the processing of personal data, a written agreement is required.
Processing of personal data is quick: the viewing of data by an external party is already a processing.
Is it really necessary to have a processor agreement?
Yes, it is legally required to have a processor agreement. If you do not have this, sanctions can be imposed. That is why it is important that you have a processor agreement for 25 May 2018.
Who is the 'responsible' in the processor agreement?
The controller is a person or organization that determines the purpose and means for the use of personal data. Think of the example of a company that keeps the personal details of its employees in view of the payroll administration (name, address, bank account number, etc.). The responsible (in this example the company) can do this alone or together with others (such as the payroll administration office). It means that the controller ultimately decides whether an organization processes personal data, and if so:
- what processing is involved;
- what personal data the company processes;
- for what purpose the company does this;
- how the company does this.
Who is the 'data subject' in the processor agreement?
The data subject is the person whose organization processes personal data. This is therefore the person to whom the personal data relate (for example employee X).
Who is the 'processor' in the processor agreement?
A processor (processor) is a person or organization to whom the controller has outsourced the data processing. In the aforementioned example, a payroll administration office that handles the payroll administration for the company would be the processor.
A processor is not independently responsible for the processing of the personal data. The processor does have a number of derived obligations, for the protection and confidentiality of the data.
What is a personal data?
A personal data is a given on the basis of which a natural person can be identified. Data from deceased persons or from organizations are not personal data.
Examples of personal data: name and address details, e-mail addresses, passport photos, fingerprints and IP addresses. Data that gives an appreciation about a person, such as someone's IQ, is also personal data.
Topics in a processor agreement
The AVG states that the following matters must in any case be mentioned in a processor agreement:
- the duration of the processing (also think about deleting the data at the end of the assignment);
- the nature and purposes of the processing;
- the type of personal data processed;
- the specific tasks and responsibilities of the processor and the risk related to the rights and powers of the data subjects;
- the prior permission of the person responsible for engaging subprocessors;
- ensuring confidentiality;
- how personal data are secured;
- how information is made available to the controller in the context of audits.
Do you need more explanation and clarity about the AVG?
We can fully imagine that. That is why we like to organize a knowledge session that we invite you to. Do you want to participate in the knowledge session and get more information about the AVG? Send us an e-mail firstname.lastname@example.org or call 078 - 631 33 03.