Does your company have a processing agreement with each service provider that handles personal information for you as required by the EU General Data Protection Regulation (GDPR)?
If you don’t, it may cost you 5,000 EUR per missing agreement – says the data protection authority of Hesse, Germany.
Following a complaint to the data protection authority, the Hessian DPA investigated and learned that the data controller company (a small shipping company) did not have a data processing agreement as required by Art 28 of GDPR, with its Spanish service provider, and subsequently issued the 5,000 EUR fine. This comes only a few days after the Dutch data protection authority reported it requested information about such agreements from 30 companies in the Netherlands.