Out-Law News | 22 Jan 2019 | 1:27 pm | 1 min. read
The Autoriteit Persoonsgegevens said it has asked 30 businesses across the energy, media and trade sectors "what agreements they have with other parties when they process personal data for them".
It is the latest in a series of compliance checks the AP has conducted under the General Data Protection Regulation (GDPR).
The outsourcing of personal data processing is permitted under the GDPR, but the legislation outlines a number of conditions that both the companies responsible for the data, data controllers, and the third party data processors must meet when applying such arrangements.
One of the requirements is that the processing arrangements are governed by written contract, or by another "legal act" provided for in EU or member state law.
Article 28 of the GDPR explains that the written contracts must set out "the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller". Further requirements that processors must adhere to that must be provided for in the contract are also listed under the article.
The AP said: "The European privacy rules state that organisations that process personal data must conclude a processor agreement if they cooperate with other parties in the processing of these personal data. This is necessary, for example, if they outsource IT facilities. Organisations remain responsible for ensuring that personal data are properly protected. Therefore, an organisation may only engage processors that offer sufficient guarantees that they also comply with legal requirements."
Since the GDPR took effect on 25 May 2018, the AP has carried out other compliance checks, including whether government agencies, hospitals, healthcare insurers and banks had appointed a data protection officer. It said it has also "conducted an exploratory investigation with large private organisations to investigate whether they keep a register of processing activities".
Record keeping duties in relation to personal data processing are set out under Article 30 of the GDPR.