When is a personal data processing agreement required?


A personal data processing agreement need not be concluded in each and every case – this will depend primarily on the mutual relationship between the two parties. The key is to determine whether or not one of the entities has the position of data processor in relation to the other party.

In practice, a personal data protection agreement may also be referred to as an “agreement between controller and processor” or a “processing agreement”. This agreement is concluded by a personal data controller with a data processor in order to determine the purposes and means of processing personal data – the processor then follows from these settings in its activities.

However, the situation can become very complicated in practice in cases where a supplier and customer are in the relationship of data controller and processor. Three various options, all involving different procedures, are then conceivable.

The first option is that the two entities will be in a mutual relationship of a data controller and a data processor. For example, the controller may be a school and the processor a provider of e-mail services, an external network administrator or an IT provider. In this case, a data processing agreement has to be concluded.  

The second option involves a data controller and third parties that may have access to personal data and are neither a data controller nor a data processor. Their usual objects of business include work and activities that do not involve personal data processing; yet, they can occasionally gain access to such information. A processing agreement need not be concluded in this case. Nonetheless, it is recommended to enter into a contract indicating that the given entities do not engage in personal data processing. It should also be stated in the contract that each entity is bound to maintain confidentiality of data that it learns within its activity.

The third option is a mutual relationship between two controllers of personal data. These might be, for example, schools, tax authorities, travel agencies or physicians. These entities need not enter into a data processing agreement or provide for their relationships otherwise.

Please do not hesitate to contact us for more information or should you have any questions. It will be a pleasure for us to provide advice and draft specific contracts and agreements, if need be.