When is a data processing agreement required?

December 2017

Question

Our municipality has outsourced the processing of personal data to a cloud computing service. We find it difficult to determine who is responsible for correct data processing in terms of the General Data Protection Regulation (GDPR). Does the GDPR require us to have a data processing agreement in place with the cloud computing service?

Brief answer:

If a municipality has outsourced the processing of personal data to a third party, a data processing agreement is required. This agreement must set out a framework for the activities of the data processor, following requirements laid down in Article 28 of the GDPR.

Data controller and data processor

When the processing of data is outsourced, it is important to distinguish between who is the data controller and who is the data processor. The data controller is understood to be the natural or legal person that determines the purposes and means of the processing of personal data (Article 4(7) GDPR). In this specific case, this would be the municipality. The data processor is understood to be the natural or legal person which processes personal data on behalf of the controller. This would be the cloud computing service.

Data processing agreement

The data processing agreement is an agreement between the data controller and the data processor, which is required when the latter processes personal data as a service to the former.

According to Article 28 of the GDPR, this agreement must include:

  • The subject matter and duration of the processing;
  • The nature and purpose of the data processing;
  • The type of the personal data, and a categories of the data subjects;
  • The rights and obligations of the data controller;
  • Specific clauses that guarantee the security of the processing;
  • Rules that guarantee the processor assists the controller in meeting certain GDPR obligations.

For an exact description of the requirements, we refer you to the text of the Regulation.