Agreements and documents
GDPR-related agreements and documents that companies may need
There are several GDPR-related agreements and documents that companies may need to draw up in order to comply with the EU’s General Data Protection Regulation (GDPR), which came into force in May 2018.
Here are examples of some GDPR-related agreements and documents that companies may need under GDPR
GDPR applies to all companies operating in the EU and processing personal data. The EU regulation places high demands on companies that must be able to demonstrate that they comply with the GDPR. The burden of proof of compliance lies with the company, not the person claiming that the company is in breach of the regulation. This means, among other things, that the company needs to have appropriate GDPR-related agreements and documents. The larger the company, the more GDPR work is usually required.
Create and publish a privacy notice
Companies must inform data subjects about the processing of their personal data pursuant to Article 13 GDPR and Article 14 GDPR. This usually takes the form of a privacy notice which, among other things, must contain information about the purpose of the processing, the duration of the processing, what rights the data subjects have, what the legal basis is, etc. The privacy notice should be published on the website and made available through a link in all the company’s other digital storefronts, for example at the end of emails, next to contact forms, in social media, etc.
A common mistake on websites
Many companies have a contact form on their website, where visitors can send messages to the company or order a product or service from the company. The visitor usually needs to fill in their contact details in the form, in order to be able to submit the message. It involves the processing of personal data and therefore the company must inform about the processing, before the message is submitted. It is therefore best to have a short descriptive text with a link to the privacy notice, which the visitor certifies that they have read when submitting the notice via the contact form.
Conclude a Data Processing Agreement (DPA)
When a controller engages a data processor, they must enter into a data processing agreement in accordance with Article 28 of the GDPR. The same applies when a data processor engages a sub-processor.
Examples of when it is common to hire a data processor:
Accounting
If a company hires an accounting firm to manage the company's ongoing accounting and payroll to employees.
Marketing
When a company hires a marketing agency to manage marketing and statistics on behalf of the company.
The Data Processing Agreement must be in writing in order to be valid
Most agreements can be oral, but have the same validity as a written agreement. On the other hand, it is easier to prove written agreements in the event of a dispute or to prove compliance with a particular law. However, some agreements must be in writing in order to be valid, as it is a formal requirement by law. Personal Data Processing Agreements and Personal Data Sub-Processing Agreements are those types of formal agreements that must be in writing by law in order to be valid. The written requirement is set out in Article 28(3) of the GDPR.
Companies may need to establish a Record of Processing Activities (ROPA)
Some companies need to establish a Record of Processing Activities (ROPA) in accordance with Article 30 of the GDPR. This applies to both certain controllers and processors. The record shall be in writing and made available electronically. In addition, it shall be kept up to date over time and made available to the supervisory authority upon request.
Not all companies need to have a Record of Processing Activities (ROPA)
Some companies must have a Record of Processing Activities (ROPA) in accordance with GDPR. This applies if the company has more than 250 employees. However, some companies with fewer employees may also need to have such a record. For example, if the company carries out processing of sensitive personal data, or if the processing is very likely to result in a high risk to the rights and freedoms of data subjects, or in the case of recurrent processing (that is, the processing is not temporary). As a result, only a few companies do not need to draw up a Record of Processing Activities (ROPA).
Intra-Group Data Sharing Agreement (IGA)
Just because companies are part of the same group of companies, does not mean that they may transfer personal data between each other in any way. It is therefore important to establish an intra-group agreement on personal data sharing, where the parties regulate their roles, legal bases for the processing, liability, etc. Such an Intra-Group Data Sharing Agreement (IGA) is a comprehensive and complex agreement, but important within groups. As a result, many different separate Data Processing Agreements (DPA), Data Sharing Agreements (DSA), etc. between the parties are not necessary to enter into, since all data sharing that can take place between the companies within the group is instead regulated in a compiled intra-group agreement.
Data Sharing Agreements (DSAs) when companies share personal data between each other
When at least two companies share personal data between each other, but are independent data controllers, it is good if they establish and enter into a Data Sharing Agreements (DSA). The Data Sharing Agreement regulates, among other things, why the sharing takes place, which categories of personal data are shared, security measures taken by companies, the division of responsibilities between the parties in the exercise of data subjects’ rights, etc. It is good to draw up a written Data Sharing Agreement, as it reduces the risk of confusion and clarifies the division of responsibilities between the parties. This, in turn, may reduce the risk that each party’s processing of the shared personal data takes place in breach of the GDPR.
Continuity plan to manage crises
It is good for companies to be prepared for possible crises. A business continuity plan describes the critical processes that the company has and that need to work, in order for the company to continue its work. Companies need to be able to manage crises effectively and ensure that operations continue, even during crises. Therefore, it is good to make it easier for employees, by developing a written business continuity plan to enable them to manage crises in practice.
Establish internal confidentiality agreements for employees
A company as an employer should draw up written non-disclosure agreements and conclude them with its employees. It is also common for employers to include a confidentiality clause in the employment contract. In some cases, the company is required by law or agreement to agree on confidentiality with its personnel. Therefore, it is an advantage if a separate non-disclosure agreement is concluded, instead of it being embedded as a contractual clause in the employment contract, as it is less intrusive to present the non-disclosure agreement if necessary.
Policies to comply with the GDPR
There are a number of different policies that can be good for companies to establish, to help employees comply with the rules of GDPR. For example:
IT security policy
An IT security policy is a governing policy document that deals with the company's rules for their protection of personal data. For example, what access right rules the company has, how the company should handle personal data breaches, protect passwords, etc. In other words, an IT security policy provides a framework for what technical and organizational measures the company should take, to protect personal data.
Privacy policy
A privacy policy is not the same as a privacy notice. A privacy notice is an externally informative document addressed to the data subjects, while a privacy policy is an internal governance document for the employees of the company. There, the company describes, among other things, what data protection principles apply to personal data processing, how employees should work correctly with the processing of personal data, etc.
Difference Between Policies and Procedures
Many people confuse policies and procedures. Policies is a more comprehensive policy document that is strategic with a vision and direction. Unlike written procedures, which consist of more practical instructions to employees on how to achieve the goals set out in policies. The procedures thus aim to regulate more operational and concrete measures and instructions.
Procedures are practical written instructions to employees
To ensure that employees work in accordance with the GDPR, it is good to establish written procedures that they can follow. A good rule of thumb is that the more employees and departments a company has, the more routines can be appropriate to establish and implement. Procedures streamline the work of employees and can lead to a higher degree of practical compliance with the rules of the GDPR.
Erasure
Companies must erase personal data on a regular basis. By having a procedure for erasure, the company ensures that they do not process personal data longer than necessary for the purpose for which they were collected.
Rights of data subjects
Companies must comply with the rights of data subjects, such as the right to rectification, the right to be forgotten, the right to information about the processing, etc. In addition, the processing must take place within certain time limits. One of the procedures that most companies should have is therefore procedures to be able to satisfy the rights of data subjects.
Onboarding and offboarding
It is good for a company to have written procedures and instructions for the onboarding process of new employees, so that they are trained in the company's data protection work (routines for onboarding). For example, the procedures can regulate the assignment of permissions, user accounts, equipment, important rules on security, etc. When an employee stops working at the company, it is good to have procedures for revoking permissions, regulating the return of any equipment, such as a work computer, etc.
Internal sharing of data
Employees of a company usually share personal data between each other internally. It is important that data sharing takes place in accordance with the GDPR. In particular, only employees shall have access to personal data, to the extent necessary for the performance of their duties. In short, the company and its employees should share personal data based on the principle of ‘need to know’, not ‘good to know’. This is particularly important with regard to the processing of sensitive personal data.
Obtaining and withdrawing consent
In order for a consent to be valid, it must be obtained correctly. This means, among other things, that the consent must be freely given and actively given and that the data subject is informed about the processing. In addition, it should be as easy to withdraw a consent as to give it. By having procedures for obtaining and withdrawing consent, the chances of it happening correctly increase.
Social media management and photography
Many companies publish personal data on social media, both related employees and in some cases even customers. For example, a restaurant that takes pictures in the premises, where guests can be identified on the pictures. Or when a brokerage firm publishes profile pictures of its brokers on the website. It is important not to forget that this constitutes processing of personal data and is therefore covered by the GDPR.
Different assessments that companies may need to make in accordance with GDPR
Companies that are subject to the GDPR may need to carry out certain assessments before a certain processing of personal data is carried out. The same may apply during an ongoing processing activity that changes in such a way that it is appropriate to carry out the assessments. Below are examples of various assessments that companies may need to make in accordance with the GDPR.
Risk assessment prior to processing activities
Companies may need to carry out a risk assessment before they start processing personal data. In other words, analyse the risks that the processing may pose to the rights and freedoms of data subjects. Companies shall carry out a risk assessment before introducing new systems, processing activities or using new technologies. After the company has carried out a risk assessment, they may have a better knowledge of what appropriate technical and organisational measures the company should take, in order to minimise the risks.
Data Protection Impact Assessment (DPIA)
When processing involves a high risk to the rights and freedoms of data subjects, it may be necessary to carry out a Data Protection Impact Assessment (DPIA). This is regulated in more detail in Article 35 of the GDPR. For example, if a company processes sensitive personal data on a large scale or makes decisions that are fully automated. The impact assessment shall demonstrate the risks identified by the company, as well as the safeguards taken to minimise those risks. If the risk persists after the measures taken, the company must request a prior consultation with the national data protection authority before commencing the processing, in accordance with Article 36 of the GDPR.
Data Transfer Impact Assessment (DTIA)
If a company within the EU/EEA area transfers personal data to a third country, i.e. a country outside the EU/EEA area, it may be necessary to carry out a Data Transfer Impact Assessment (DTIA). It is mainly a question of analysing whether the recipient country has a sufficiently high level of protection.
Impact assessment of data transfers may be an appropriate additional safeguard
If the third country has an adequate level of protection according to the European Commission’s decision, the company does not need to carry out an impact assessment of data transfers when transferring there. However, it may be appropriate to perform anyway, as additional safeguards may be required. The main focus of the impact assessment is to analyse the recipient country. For example, their legislation, what possibilities authorities have to access personal data processed by companies, what legal possibilities data subjects have to protect their rights, etc.
Legitimate Interest Assessment (LIA) to determine whether the company has a legitimate interest (LIA)
The assessment of legitimate interest is a common assessment that many companies need to do. This is done if the company uses the legal basis “legitimate interest” according to Article 6(1)(f) GDPR to support the processing of personal data. Please note that it is not allowed to assert a legitimate interest, unless there is a documented balance of interests. Therefore, it is important to perform and document the balance of interests, before starting the personal data processing.
Prior consultation of the national data protection authority
If the risk to the rights and freedoms of data subjects remains high after the company has carried out a Data Protection Impact Assessment (DPIA) pursuant to Article 35 of the GDPR, the company shall request a prior consultation with the national data protection authority. This is stated in Article 36 of the GDPR. Thereafter, the data protection authority may make an assessment and conclude that the processing in question is permitted or prohibited. The supervisory authority may also make recommendations as to what the company needs to do in order for the processing to be allowed. Please note that the company must carry out and document an impact assessment before requesting a prior consultation.
Learn more
Third country transfers
According to the GDPR, a third country is a country outside the EU/EEA. When a company within the EU/EEA-area transfers personal data to a third country, the rules are stricter than if there was data sharing between actors in two countries within the Union. If that third country has an adequate level of protection, the company does not need to take any additional safeguards to transfer personal data there. Examples of additional safeguards could be the conclusion of standard contractual clauses (SCCs) adopted by the European Commission. Please note that only the European Commission can decide whether a third country has an adequate level of protection. This is not up to the company to decide.