THE NETHERLANDS: Dutch SA initiates exploratory investigation into DPAs

The Dutch Supervisory Authority (Autoriteit Persoonsgegevens, “AP”) recently communicated a press release stating that it reached out to 30 organizations to request information relating to their data processing agreements (DPAs).  Organizations that have been contacted are companies in the media, energy and trade sectors.

The AP has requested, among other things, what agreements organizations have in place with third parties processing personal data on their behalf. According to the AP, these DPAs should specify how the protection and processing of personal data is regulated. A DPA must state in any case which personal data is processed, for how low, what the nature and purpose of the processing is and in which way the security of the data is guaranteed. The AP emphasizes that organizations should only engage processors that offer sufficient guarantees that they comply with GDPR.

This investigation is part of a series of exploratory investigations by the AP to assess to which extent organizations act in accordance with the GDPR. For example, last year, the AP picked out 30 companies randomly and checked whether they kept a register of processing activities under Article 30 GDPR. Based on the outcome of that assessment, the AP recently published five specific recommendations for each register of processing activities, i.e.: 1) record storage periods and also explain the purpose for which data is retained, 2) record the contact details of the controller in the processing register, 3) ensure an easy to navigate, well-organized file, 4) state where personal data are stored and include these locations or files in the register, 5) link each purpose to a specific processing activity, a list of processing operations and an enumeration of purposes by itself is insufficient.

Earlier, the AP investigated whether governmental organizations, hospitals, insurance companies and banks had appointed a data protection officer (and notified this the Dutch DPA). It turned out that all of the 138 investigated organizations passed the test.

The outcome of the current investigation on DPAs is expected later this year.

Stephanie Reinders Folmer & Richard van Schaik