The Autoriteit Persoonsgegevens (AP) has asked thirty private organizations what agreements they have with other parties when they process personal data for them. According to European privacy rules, these agreements must be laid down in a so-called processor agreement. The AP requested information from companies in the energy, media and trade sectors, among others.
Processor Agreement
The European privacy rules state that organizations that process personal data must enter into a processor agreement if they cooperate with other parties in processing that personal data. This is necessary, for example, when they outsource IT facilities. Organizations themselves remain responsible for ensuring that personal data is properly protected. Therefore, an organization may only engage processors who provide sufficient guarantees that they also meet the legal requirements.
The processor agreement should state how the protection and processing of personal data is regulated. The processor agreement should include at least:
What data will be processed and for how long,
What is the nature and purpose of the processing,
In what way data security is ensured.
Series of exploratory investigations
Since the introduction of the General Data Protection Regulation (AVG) on May 25, 2018, the AP regularly checks organizations' compliance with requirements under privacy laws. For example, the AP previously looked at whether government organizations, hospitals, (health) insurers and banks have a data protection officer. The AP also conducted an exploratory survey of large private organizations to investigate whether they keep a register of processing activities.
This article can also be found in the AVG file
