- 10 Sep 2015
- Jens Harkov
Do remember to enter into data processor agreements
It is important for businesses and authorities to have the mandatory data processor agreements in place with subcontractors: This may become a focus area of the Danish Data Protection Agency's inspections this autumn.
The Danish Data Protection Agency monitors businesses and authorities to see if they comply with the Danish Data Protection Act. As part of its efforts in this regard, the Agency will carry out inspections.
The Agency recently announced its plans to carry out 30 inspections this autumn. One of many focus areas in such an inspection by the Agency may be to see if businesses and authorities have the mandatory data processor agreements in place with subcontractors such as IT service providers.
The increased focus being placed on data processor agreements is evidenced by a recent announcement, in which the Agency criticised a public authority for not having the mandatory data processor agreements in place with subcontractors. In addition, the Agency had found a number of deficiencies with regard to logging and restriction of access to personal data.
Norrbom Vinding notes
- that it follows from the Danish Data Protection Act that a data controller must conclude a written agreement with a data processor and that the agreement must stipulate that the data processor must only act on the data controller's instructions;
- that the Danish Data Protection Agency is focusing on public authorities and their compliance with the requirements of the Danish Data Protection Act and the Executive Order on security measures to protect personal data being processed for the public administration, particularly the requirement of entering into data processor agreements with subcontractors; but
- that the requirement of entering into data processor agreements with subcontractors etc. applies to private sector businesses as well as public authorities, and that this is relevant among other things in the context of outsourcing of IT services or other use of independent IT consultancies for the provision of services where the data controller leaves personal data to the data processor.