Guideline and check list for entering into

data processing agreements

When a company engages a data processor to process personal data on behalf of the company, it is a requirement that the data controller (the company) and the data processor enter into a written data processing agreement. Examples of data processors include when a cloud supplier stores personal data on behalf of a company, when a service agency manages salary payments to the employees of the company, or when a marketing agency manages the distribution of the company’s direct marketing emails.

The General Data Protection Regulation sets out detailed requirements for the content of data processing agreements in detail. On this basis, DI has [in collaboration with Bruun & Hjejle] prepared a standard data processor agreement template that meets the requirements of the Regulation, and which is applicable for more general data processor arrangements. The template, which is to be completed with information on the specific cooperation, has been prepared for the data controller company and is applicable in less complicated data processing arrangements that are not thoroughly regulated byseparate cooperation agreements, outsourcing agreements etc. already entered into. In case of a contractual relationship of a more complex nature or in case of management of the role as data processor, we recommend that you seek individual advice, e.g. by way of adjusting the template so it matches the specificcooperation.

The template only contains the information required under the General Data Protection Regulation. Commercial aspects such as e.g. remuneration, liability for damages, non-performance provisions etc. are not included. Therefore, these aspects must be regulated in a separate agreement, e.g. the service agreement in question or be added to the data processing agreement.

Under the General Data Protection Regulation, it is also a requirement that the data processing agreement includes a regulation of which security measures apply to the processing of the personal data. There are examples of security measures in the template (section 3.4). This listing does not indicate that exactly these specific security measures are always necessary or sufficient in all situations. Accordingly, section 3.4 must be adapted to the specific situation.

In appendix 1 to this guideline, you can find a list of which aspects are to be regulatedas a minimum. The list has been prepared so that it can be used as a check list in connection with the preparation or review of draft agreements received from a cooperation partner.

Appendix 1: Check list for the data processing agreement

Contract______

Document no.______

Date:______

Case no.: ______

Initials: ______

Required content

The following aspects must be regulated in a binding agreement between the data controller and the data processor.

/

Which provision in the data processing agreement meets the requirement?

The agreement must establish

The subject of the processing

/

Section 1.1

The duration of the processing

/

Section 7.1

The character and purpose of the processing

/

Section1.2 and 1.3

The type of personal dataprocessed

/

Section 1.2

The categories of registered individuals

/

Section 1.1

Instructions

The data processor and any person working on behalf of the data processor may only process personal data ondocumented instructions from the data controller.

/

Section 2.1-2.2and 3.2

Transfer of personal data to a third country or an international organisation is only allowed in accordance with documented instructions from the data controller, unless the transfer is required under EU law or member states’ national law to which the data processor is subject.

/

Section 2.1. and 1.5

The data processor must immediately notify the data controller if it is the opinion of the data processor that an instruction infringes any legislation.

/

Section5.4

The data processor employees that process personal data must be subject to a confidentiality clause or professional secrecy.

/

Section 2.3-2.4 and 3.3

Security and breach of security

The data processor must implement sufficient technical and organisational measures to ensure a level of security equivalent to the risks of the processing.

/

Section 3

The data processor must notify the data controller when finding security breachesof significance in relation to the personal data. /

Section 5.3

Sub-processors

  • The data processor may not without prior approval (either by a general written approval supplied by the right of objection or by specific approvals of each sub-processor) use other data processors.
  • In case of a general written approval, the data processor must notify the data controller about planned changesin the form of addition or replacement of data processors, if any, and in that way allow for the data controller to object.
/

Section 4.1-4.2

  • The data processor must enter into a written agreement with the sub-processor.
/

Section 4.3

  • The sub-processor must be imposed the same data protection obligations and contractual conditions as those stipulated in the agreement between the data controller and the data processor.
/

Section 4.3

The sub-processor must implement appropriate technical and organisational measures to ensure a level of security equivalent to the risks of the processing. /

Section 4.3

If the sub-processor does not meet its obligations, the data processor remains fully liable to the data controller for the performance of the sub-processor’s obligations.

/

Section 4.4

Assistance obligations

The data processor must assist the data controller in complying with the obligations concerning security measures under consideration of the character of the processing and the information available to the data processor. / Section 5.1
In consideration of the character of the processing, the data processor must to the greatest extent possible assist the data controller in meeting the data controller’s obligations to respond to requests concerning the exercise of data subjects’ rights:
-The right to obtain access
-The right to rectification
-The right to deletion
-The right to limited processing
-The right to data portability
-The right to object / Section 5.2
Audits and information for the data controller
The data processor makes available all information necessary to establish adherence to the requirements of the data processing agreement to the data controller. / Section 6.1
The data processor must enableandcontribute to the audits, including inspections carried out by the data controller or another auditor that has been authorised by the data controller. / Section 6.2
The data processor must immediately notify the data controller if an instruction on data processing in the opinion of the data processor infringes the General Data Protection Regulation or special legislation. / Section 5.4
Termination of the data processing agreement
The data processor must according to the data controller’s choice delete or return all personal data to the data controller, when the processing of the personal data is discontinued unless mandatory legislation demands continued storage. / Section 7.2-7.3

1