Does your company have the data processing agreements required by the EU General Data Protection Regulation (GDPR) when it engages third parties to assist with its data processing activities?
The Dutch data protection authority recently asked this question of 30 companies in the energy, media and trade sectors. The agency has also conducted similar exploratory compliance surveys covering Data Protection Officers and processing activity registers.
Under GDPR, a company may only engage processors that offer sufficient guarantees that they also comply with legal requirements. The processor agreement must specify how the protection and processing of personal data is regulated and address issues including:
- which data will be processed and for how long
- the nature and purpose of the processing
- how the security of the data is guaranteed