What is a data processing agreement?
A data processing agreement is an agreement on how personal data is processed. The agreement is between two companies – a data processor and a data controller.
The data processor is the company that processes sensitive personal data on behalf of the other company. The data controller is, thus, the company that needs personal data to be processed.
You can handle electronic invoices automatically with Acubiz
With Acubiz, you get a solution where you can easily manage and get an overview of different data in your company.
Why is it essential to make an agreement on data processing?
As the name suggests, as a data controller, you are required to take responsibility for how personal data is processed.
If your company asks another company to store personal information such as name, age, gender, and social security number, you must enter into an agreement with the data processor. This applies to personal information about your employees, customers, etc.
The EU’s data protection regulation requires you to enter into an agreement on data processing. When you have made a written agreement with a data processor, you still need to protect personal data fully.
You must also monitor the data processor to ensure that the content and requirements of the agreement are met.
What should you include in the agreement?
It is important to have clear lines in the agreement so that, as a data controller, you are confident that the treatment security of personal data is in order. At the same time, you have something concrete that you can monitor based on.
The agreement should include the minimum requirements of the EU’s data protection regulation:
- The data processor must have confidentiality and confidentiality obligations.
- It is based on the data controller’s instructions that the data processor must process personal data.
- The data processor must be able to ensure that data processing complies with the requirements of the data protection regulation.
- If the data processor uses a “sub-processor” to meet the requirements, the data processor is 100% responsible.
- If the data processor does not meet the requirements, it may result in a fine or compensation.
- If the data controller wishes to terminate the agreement, all personal data must be deleted or delivered to the data controller.