On January 16, 2019, the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens (the “Dutch DPA”), announced that it had requested 30 private organizations provide information about the agreements they have with other entities that process personal data on their behalf. The Dutch DPA indicated that the targeted organizations are mainly in energy, media and trade sectors.
Article 28 of the EU General Data Protection Regulation (the “GDPR”) requires data controllers enter into data processing agreements with data processors. These agreements must specify how personal data should be processed and protected. In particular, data processing agreement must stipulate the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, the obligations and rights of the data controller, and how personal data should be protected by the data processor.
Since the GDPR came into force on May 25, 2018, the Dutch DPA regularly verifies whether organizations comply with its legal requirements. The Dutch DPA has previously investigated whether governmental organizations, hospitals, insurance brokers and banks had appointed a data protection officer, for example, and verified that large private organizations, as required under Article 30 of the GDPR, were keeping a record of their processing activities.