Companies often rely on third parties to manage their websites, host databases, maintain their IT infrastructure, organize marketing campaigns, etc.
When the activities performed by a third party entail the processing of personal data, the third party is generally considered a data processor under Belgian data protection laws.
The Data Protection Act, which implements the Data Protection Directive (Directive 95/46/EC), provides that when a third party processes personal data on behalf of a controller (i.e. the party that determines the purposes and the means of the processing), the controller must enter into a written agreement with the third-party processor. The agreement must at least:
- stipulate that the processor shall act only on instructions from the controller;
- determine the liability of the processor to the controller; and
- lay down the technical and organizational measures to be implemented by the processor.
Even though this obligation entered into force in 2001, many data processing agreements still do not contain the statutorily required provisions.
By now, you're probably wondering what all this has to do with confidentiality agreements. Well, not only do many data processing agreements not contain the required provisions, it is, unfortunately, also the case that certain suppliers are not aware of the obligation to enter into a data processing agreement and do not even know what a data processing agreement is! When we mention a data processing agreement, suppliers often tell us that they don't need one since they already have a confidentiality agreement in place or their terms and conditions contain a confidentiality clause. It goes without saying that this is not correct. A confidentiality agreement is merely an agreement by which the parties agree not to disclose certain information. This type of agreement does not deal with the processing of personal data per se and does not contain the required clauses.
The importance of a well-drafted data processing agreement cannot be overstated as it allows controllers to clearly determine how third-party suppliers should handle their data and which organizational and security measures must be put in place. The latter is very important given the increasing number of cyber security threats.
The forthcoming Data Protection Regulation maintains the obligation to enter into a data processing agreement and even provides for additional mandatory clauses. In particular, the agreement must oblige the processor to:
- obtain the controller's consent before engaging another (sub)processor;
- assist the controller in responding to requests from data subjects;
- make available to the controller all information necessary to demonstrate compliance with its obligations.
Finally, here are some best practices when dealing with third-party processors:
- Always enter into a written agreement with the processor.
- Ensure that the agreement contains at least the statutorily required clauses.
- Draw up a list of minimum organizational and security measures to be taken by third-party processors.
- Spell out the organizational and security measures in the agreement or an annex thereto (you can use your list) and do not merely state in general terms that the processor must put appropriate technical and organizational measures in place.
- Tailor the agreement and the technical and organizational measures to the nature and volume of activities performed by the processor.