The way it was…
Under the Dutch Personal Protection Act (Wet Bescherming Persoonsgegevens), the obligations relating to the protection of personal data were, strictly speaking, placed with the data controller. The processor had no official responsibility, despite the fact that even then the controller was in many cases dependent on the activities and procedures of the processor, particularly in reference to the most salient issue: data security.
The way it is…
Now that the GDPR has gone into effect, this has changed. The assumption remains that the data controller has primary responsibility for the processing of personal data collected and processed for a specific purpose. However, the GDPR has introduced a number of obligations for the processor. The processor has been given shared responsibility for the processing of the personal data it processes at the instruction of the data processor.
Partnering on data protection
This means that now more than ever it is important for the controller and the processor to work together to keep personal data safe. Data protection has to be founded on a data processing agreement contracted between the parties, a document that regulates the relationship between them. It will contain provisions governing a number of aspects, such as the object of the processing, the nature of the personal data, security, sub-processors, data breaches on the part of the processor, and damages and penalties and how these are to be apportioned between the parties. But the parties’ cooperation must go further than this. The processor is obliged to support the controller in the performance of its tasks and responsibilities under the GDPR. This includes not just security issues; for example, whenever a data subject wishes to know what personal data concerning them is being processed, the processor must help the controller in answering the query.
Step-by-step
Step 1: Identify what personal data the processors are processing/the controller(s) for which personal data is being processed.
Step 2: Sign a data processing agreement that contains all necessary provisions.
Step 3: Maintain regular contact with the Data Protection Officer/Privacy Officer of the processor and/or controller.
Our Team Privacy will be happy to advise you on the GDPR and its impact on your organisation, including drafting and negotiating your data processing agreements. If you would like to know more about the possibilities, contact one of our Team Privacy personnel for a free, no-obligation quote.
