The General Data Protection Regulation ("AVG") applies when processing personal data. The controller can outsource the processing to a processor. This is, according to Art. 4(8) of the AVG, the person who processes personal data on behalf of the controller. When providing personal data to a processor (outsourcing a processing of personal data), the controller must enter into a processing agreement with the processor (Art. 28 AVG).
It appears from the Explanatory Memorandum to the Personal Data Protection Act ("Wbp") (p. 68) that the term "provision of personal data" should be interpreted broadly: "it includes any form of disclosing or making available personal data, irrespective of the manner in which this is done. It may be oral, written or electronic but also by handing over a magnetic tape containing data. The act of consulting data, for example on CD-ROM, also falls under disclosure. Provision also occurs when a person looks over the shoulder of another person at, for example, a file of personal data."
Yet when providing data to a processor, a processor agreement is not always necessary. This is because parties that at first glance qualify as processors sometimes, upon closer inspection, are not. The following are four examples of outsourcing that do not require a processor agreement.
1. The party engaged is itself a data controller (e.g., a logistics service provider)
The website of the Autoriteit Persoonsgegevens ("AP") reports the following in this regard: A logistics service provider is not a processor, even if he works as a logistics service provider for a client. He himself is a data controller for the processing of personal data necessary for his services. This may include names, addresses, postal codes, places of residence and possibly telephone numbers and e-mail addresses for 'track & trace' delivery. This means that the client therefore does not have to enter into a processing agreement with its logistics service provider.
2. There is accidental processing of personal data
If an external party sees or can see personal data of relations of a client, but it is not commissioned to process those personal data, a processing agreement is usually not required. According to the Explanatory Memorandum to the Wbp (p. 62), the circumstance that the data processing is more of a corollary to the provision of services than a primary activity is an indication that there is no processing. Nor does the external party in question qualify as a data controller. This is because he does not determine the purpose and means of processing. After all, he is not allowed to do anything at all with the personal data. Consider, for example, the external maintenance engineer who checks a printer or an access security system: his assignment is not to process personal data, but to check an installation. No processing agreement needs to be concluded with the employer of the maintenance engineer. The client does remain responsible for the confidentiality of personal data. Confidentiality also includes their security. Even if a processor agreement is not required, it is still desirable to contractually bind the contractor and its personnel to confidentiality.
3. Engaging a ZZP'er
If the client engages a ZZP'er to perform work under its instruction, there will not always be a processor situation either. The AVG manual of the Ministry of Justice (p. 34) says the following about this: "There is a processing situation only if the processor is not subject to the direct authority of the controller. If you are subordinate to the controller or there is otherwise a hierarchical relationship (for example, you are an employee, seconded to the controller, or a ZZP working under the instructions of your client), then there is no question of processorship. In the Netherlands, this situation is referred to as internal management ". Pursuant to Art. 29 AVG, the ZZP'er must comply with the client's instructions. The latter would be wise to impose an obligation of confidentiality on the ZZP'er. Note: as the hired ZZP'er has more autonomy, his role may change to that of controller or processor.
4. There is processing for personal purposes
A processing agreement is also not necessary if there is outsourcing of processing to which the AVG does not apply. An example of such outsourcing is the assignment to a funeral director, in which he makes recordings of a funeral on behalf of a private client and possibly makes the recordings available to the family through live streaming via the Internet. In that case, according to the AP, the AVG does not apply because the processing falls under the exception of processing for personal purposes (Art. 2(2)(c) AVG). A processor agreement is therefore not required in that case. However, be careful here that the impact of video recordings does not become extensive. The exception for "personal purposes" then no longer applies according to the European Court. According to its letter, the AP therefore applies strict conditions in such a case in order to make use of the exception.
Conclusion
The distinction between a controller and a processor is not always sharp. Sometimes outsourcing does not involve a processor at all. A processor agreement is then not necessary. Nevertheless, it is advisable to ensure that the roles of the parties involved are properly defined in advance.
This article can also be found in the AVG file
