The Personal Data Authority (AP) surveyed 31 private sector organizations (from the trade, healthcare, media, leisure and energy sectors) about processor agreements. The goal was to get a better picture of how organizations draft these agreements. The conclusion is that there are very diverse processor agreements in use.
This fits with the perception that the General Data Protection Regulation (GDPR), through its open standards, offers opportunities for customization. After all, not every organization or processing is the same.
Organizations often hire other organizations to process personal data for them. For example, when they outsource accounting, hire a call center or have a website hosted. Such another organization is called a processor.
In a processor agreement, both parties record agreements about what the processor may and may not do with that personal data. A processor agreement is mandatory under the AVG.
The AP emphasizes that sound, periodically updated processor agreements are part of good business practice.
Organizations that are increasingly data-driven would do well to invest in working processor agreements as part of their data housekeeping.
In addition, the AP has a few general recommendations for organizations, including:
Based on your processing log, make it clear which organizations you engage, what processing they do, what the risks are and whether a processor agreement applies or is required.
Embed the creation, review and modification of processor agreements into existing processes. Connect to existing contract management processes and review agreements periodically.
Make agreements and measures concrete. A processor agreement is meant to concretize open norms from the AVG for a specific situation. For example, name concrete retention periods or make concrete what security measures will be taken.
For more recommendations and concrete do's & dont's, see: Working Processor Agreements - Private Sector Application Survey.
Since the introduction of the AVG on May 25, 2018, the AP regularly checks organizations' compliance with requirements under the privacy law. For example, the AP previously looked at whether government organizations, hospitals, (healthcare) insurers and banks have a data protection officer (FG).
The AP also conducted an exploratory survey of large private organizations to investigate whether they keep a register of processing activities.
Read 'Working processor agreements' Study of private sector application here