Many people think each exchange of personal data requires a processor’s agreement to be entered into. In a previous blog I have already explained that this is not the case. What arrangements must then be put in place? In this blog I will be investigating this issue further. Different forms of exchange. The exchange of personal data takes place in different situations: contracting out; transferral; collaboration. I will briefly discuss each situation. Situation 1: contracting out. Business processes are often contracted out.
Article | 16 March 2018 | Mark Jansen
Many people think each exchange of personal data requires a processor’s agreement to be entered into. In a previous blog I have already explained that this is not the case. What arrangements must then be put in place? In this blog I will discuss this further.
Different forms of exchange
The exchange of personal data takes place in different situations.
- contracting out;
Below, I will briefly address these situations.
Situation 1: contracting out
Business processes are often contracted out. This includes purchasing IT-services from the cloud (instead of having an in-house IT department) or by engaging an external payroll accounting firm. Often, personal data processing is central to these outsourced activities. After all, you cannot maintain an IT system without usernames and you cannot process salaries without receiving data about those employees. According to the privacy legislation, in those situations the supplier qualifies as “processor”. In those cases, it is required by law to enter into a processor’s agreement. This is set out in article 28 of the General Data Protection Regulation (GDPR). The GDPR also prescribes as mandatory which subject matters such an agreement must include. There is no restriction on the form however; the law does not prescribe a model contract.
The law also states that you must test in advance whether the supplier is reliable and that during the term of the agreement you must ensure that this supplier processes the personal data carefully. Central to the role of the processor is that it may absolutely not process the personal data for its own purposes.
Situation 2: transferral
A completely different situation is where the personal data is transferred. The receiving party then processes the data further for its own purposes. This includes:
- the transfer of data of employees by an employer to a pension fund or a leasing company;
- the transfer of data by a physician to a successive practitioner;
- the transfer of address details to a delivery service;
- the transfer of address details to a maintenance company by a housing association.
In all these situations it must be assessed on the basis of the privacy legislation whether the transfer is permitted. This means that the following must be considered:
- proportionality and subsidiarity: is the transfer necessary, are too many details being transferred, etc.?
- basis: is the transfer in line with the expectations of the data subject, is this required by law or is permission required?
- purpose limitation: does the transfer fit in with the reasons for which the data is acquired?
- transparency: is the data subject aware of the transfer or can he/she anticipate this?
- security: is the transfer properly protected?
- for special personal data: is the transfer legally permitted or is there permission of the data subject?
- etc. etc. (this is not an exhaustive list)
The law does not prescribe an agreement for a transfer. It can be sensible to have one though. In a contract, agreements can be made on issues such as transparency (who informs: supplier or receiver?), security (how will a safe transfer take place?) and the chain obligations when exercising rights of data subjects (in particular passing on correction requests). It is also wise to come to agreements on liability in the event it is claimed that the transfer is unlawful.
Characteristic of a transfer is that the receiving party, subject to other agreements, is in principle free to process the personal data further (within statutory parameters). This differs therefore strongly from the processor’s situation. In this situation absolutely no processor’s agreement must be signed!
Situation 3: collaboration
In the 3rd situation, two or more parties jointly process personal data for the same purposes. This could be the case when parties work together so intensively that there is no longer a transfer in the above meaning. Then it is more a case of a joint administration. Article 26 GDPR sets out that the collaborating parties must come to an arrangement. This arrangement must clearly record the division of the responsibilities, in particular relating to the data subject. The essence of this arrangement must be notified to the data subject. In this situation there must therefore be an agreement. Next to the division of responsibilities (see above), it is also wise to come to agreements on how to jointly satisfy the privacy legislation in other respects. This is due to the fact that the parties keep a joint administration and can be held jointly and severally liable for this. There will also have to be a clear exit arrangement showing whether (the data from) the joint administration may still be used by the parties after the collaboration. An agreement is always sensible.
As you can see, when exchanging personal data it is always sensible to come to (limited or extensive) agreements on privacy. In situation 1 and 3 this is compulsory, in situation 2 it is often sensible. Each situation requires its own contract.
If you have questions about the above or about other aspects of privacy law, please do not hesitate to contact us. We can help you.