Data processing agreements must be in writing in order to be valid under the GDPR. In the absence of formal requirements in applicable law, both oral and written agreements apply. However, it is easier to prove written agreements in the event of a dispute, and therefore it may be good to have the agreements documented. In addition, it can prevent a dispute if the parties know that there are written agreements that can be proven. In some cases, however, there is a legal requirement that an agreement must be in writing and then oral agreements are invalid.
Examples of companies that are data processors:
- Accounting firms
- Web agencies
- Cloud service providers
Please note that a company may be a data controller for certain processing operations and a data processor for others. For example, an accounting firm is a data controller with respect to the processing of personal data of its own employees, while a data processor when the accounting firm processes personal data on behalf of its customers.
GDPR: Data Processing Agreements must be in writing in order to be valid
It is clear from Article 28(3) of the GDPR that data processing agreements must be in writing. In addition, it is a requirement to enter into a personal data processing agreement when a controller engages a personal data processor. A processor is an actor that processes personal data on behalf of a controller. It is the data controller who determines the purpose of the processing.
When a processor engages a sub-processor, they must also enter into a written data processing agreement
It is possible for a processor to hire a sub-processor, provided that the processor receives written permission from the controller. In addition, the processor and the sub-processor need to enter into a written data processing agreement with each other, in order to ensure that the data subjects enjoy the same protection as in the agreement as between the controller and the processor.
Examples of when it may be relevant for a personal data processor to engage a sub-processor
- Web agency engages an analytics company: A company is a data controller and hires a web agency to build and maintain its website. The web agency is then a data processor when they process personal data on behalf of the data controller. The controller wants to be able to analyse statistics (such as purchasing behaviour on the website). Since the web agency does not have that competence, the web agency hires an analysis company for that task. The analysis company is then a sub-processor of the web agency that is a personal data processor.
- Installation of a chat tool on the website: If the company that is the controller also wants customers to be able to chat directly with the company on the website, but the web agency needs to use a chat tool from a service provider in order to implement it, the service provider is also a sub-processor.