Search for:

Jump straight to:

An unexpected error has occurred

Please enter a search term

Please select

What sectors are you interested in?

We can use your selection to show you more of the content that you’re interested in.

Want to speak to an advisor from your closest office?

Find other offices

Search for:

An unexpected error has occurred

Please enter a search term

Out-Law / Your Daily Need-To-Know

Out-Law News 3 min. read

Data processing agreements cannot be retrospectively applied under the GDPR

12 Oct 2023, 3:17 pm

A recent ruling by Belgium’s data protection authority has highlighted the importance of having data processing agreements in place to govern data processing arrangements from the point they take effect, an expert has said.

Andre Walter, who specialises in data protection law at Pinsent Masons, was commenting after the Belgian authority ruled that the absence of a data processing agreement cannot be remedied under the EU General Data Protection Regulation (GDPR) by inserting a data processing agreement into a contract and providing for it to apply retrospectively.

The Belgian authority confirmed the position in a case in which a man complained about the lack of a data processing agreement being put in place between a municipality in Belgium and a third-party Brussels-based computer engineering company the municipality had engaged. The company had processed his data in connection with the payment of parking fees.

Though the data processing was outsourced, no data processing agreement was in place at the time the man’s data was processed. The municipality had agreed the outsourcing arrangements with the company in late 2016, but the data processing agreement was only concluded on 27 July 2020 – after the man’s data had been processed in May of that year.

The Belgian data protection authority said that, to conform with the requirements of the GDPR, the data processing agreement should have been in place no later than 24 May 2018 – the day before the legislation took effect, which itself was two years after it entered into force. An important purpose of a data processing agreement is to provide a contractual framework to safeguard the rights of data subjects under data protection law, though data subjects themselves are not parties to the contract. In this context, the Belgian authority considered that the municipality and computer engineering company could not just decide to retrospectively apply the data processing agreement from 27 July 2020, so that it applied to processing that took place prior to that date – including the complained of processing in this case – on their own.

Frederik Harms, a contract law specialist at Pinsent Masons, said: “It is sound from a contract law perspective for parties to agree to have the terms of a contract apply retrospectively. However, this does not have the effect that the contract was actually in place between parties before its conclusion. As such, this decision is a valuable reminder for any party that contracts from a compliance perspective, whether from the perspective of data protection or tax, for example.”

“From this decision, however, it does not necessarily follow that an executed data processing agreement needs to be in place. At least from a Dutch law perspective, there is no legal difference between a contract or agreement, and there is no requirement that these should be in writing or even need to be executed. As such, in the circumstances that parties did share final documents and can prove another’s acceptance to the terms as per a certain date, then parties may arguably still invoke the validity thereof,” he said.

In an important warning to all businesses that put in place data processing agreements – whether in the role as controller or processor under the GDPR – the Belgian authority said it was the responsibility of both the municipality as controller, and the computer engineering company as processor, to ensure the written data processing agreement was in place at the material time. Both the municipality and the company were reprimanded for breaching the GDPR’s requirements in relation to data processing agreements, as well as for breaching other requirements regarding the disclosure of information pertaining to data processing to data subjects.

Walter said the case provides a valuable lesson to all organisations subject to either the EU or UK GDPR.

“While processors have considerably fewer obligations than controllers under the GDPR, they do share the same responsibility for ensuring that data processing agreements are entered into before the data processing arrangements take effect – including, where relevant, in any sub-processing contracts,” Walter said. “The GDPR is clear that any person acting under the authority of the processor, who has access to personal data, shall not process those data except on instructions from the controller in command.”

“Processors face further obligations too, including a requirement to maintain a record of all categories of processing they carry out on behalf of a controller. They must further operate an information security policy that describes and implements technical and organisational measures that enable them to ensure a level of data security appropriate to the risk, and notify the controller without undue delay when becoming aware of a personal data breach,” he said.

“In some cases, processors can also be obliged to designate a data protection officer, comply with rules governing the international transfer of personal data, and cooperate with data protection authorities in the performance of their tasks,” Walter said.

Contact an adviser

Walter Andre

Andre Walter

Legal Director

+31 20 7977 712
View Profile
Harms Frederik

Frederik Harms

Legal Director

+31 20 7977 713
View Profile

Latest News

Pension Ombudsman highlights importance of clear fee information

Ireland’s tourism body offers case study in effective brand strategy

EU and China dispute over medical devices procurement flares

Pension buy-outs: residual risks cover for winding-up pension schemes

European Commission flexes muscles under foreign subsidies regime with first-ever dawn raid

You might also like

Out-Law Guide

Concurrent delay in UK construction projects

The Covid-19 pandemic and other recent events have led to an increased focus on delays in construction projects with more than one cause.

Construction Advisory & Disputes

Out-Law Guide

The substantial shareholding exemption

The substantial shareholding exemption (SSE) applies to companies and exempts certain gains that would otherwise be subject to UK corporation tax following a disposal of shares.

Corporate tax

Out-Law Guide

Extensions of time and liquidated damages

Most contracts for construction works will include an extension of time mechanism, whereby the contractor will be entitled to an extension of time to the agreed completion date – the date by which the works must be completed – in circumstances where there are delays to a project which are not the contractor’s fault or for which the employer has taken the risk.

Construction Contracts

Out-Law News

UK government plans to revamp holiday pay calculation for part-year workers

Show me more

Out-Law Analysis

Pensions disputes: managing member expectations paramount

Show me more

Out-Law Analysis

UK subsidy control post-Brexit: access to effective judicial remedies

Show me more

Out-Law News

'Steps of court' settlement was not negligent, court rules

Show me more

Out-Law News

'Vast majority' of companies not seeking to avoid tax

Show me more

Out-Law News

'World first' industrial decarbonisation strategy developed in the UK

Show me more

Out-Law Analysis

3D printing: UK product safety issues

Show me more

Out-Law News

5G potential for business highlighted in UK funding programme

Show me more
We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.