12 Oct 2023, 3:24 pm
A recent ruling by Belgium’s data protection authority has highlighted the importance of having data processing agreements in place to govern data processing arrangements from the point they take effect, an expert has said.
Andre Walter, who specialises in data protection law at Pinsent Masons, was commenting after the Belgian authority ruled that the absence of a data processing agreement cannot be remedied under the EU General Data Protection Regulation (GDPR) by inserting a data processing agreement into a contract and providing for it to apply retrospectively.
The Belgian authority confirmed the position in a case in which a man complained about the lack of a data processing agreement being put in place between a municipality in Belgium and a third-party Brussels-based computer engineering company the municipality had engaged. The company had processed his data in connection with the payment of parking fees.
Though the data processing was outsourced, no data processing agreement was in place at the time the man’s data was processed. The municipality had agreed the outsourcing arrangements with the company in late 2016, but the data processing agreement was only concluded on 27 July 2020 – after the man’s data had been processed in May of that year.
The Belgian data protection authority said that, to conform with the requirements of the GDPR, the data processing agreement should have been in place no later than 24 May 2018 – the day before the legislation took effect, which itself was two years after it entered into force. An important purpose of a data processing agreement is to provide a contractual framework to safeguard the rights of data subjects under data protection law, though data subjects themselves are not parties to the contract. In this context, the Belgian authority considered that the municipality and computer engineering company could not just decide to retrospectively apply the data processing agreement from 27 July 2020, so that it applied to processing that took place prior to that date – including the complained of processing in this case – on their own.
Frederik Harms, a contract law specialist at Pinsent Masons, said: “It is sound from a contract law perspective for parties to agree to have the terms of a contract apply retrospectively. However, this does not have the effect that the contract was actually in place between parties before its conclusion. As such, this decision is a valuable reminder for any party that contracts from a compliance perspective, whether from the perspective of data protection or tax, for example.”
“From this decision, however, it does not necessarily follow that an executed data processing agreement needs to be in place. At least from a Dutch law perspective, there is no legal difference between a contract or agreement, and there is no requirement that these should be in writing or even need to be executed. As such, in the circumstances that parties did share final documents and can prove another’s acceptance to the terms as per a certain date, then parties may arguably still invoke the validity thereof,” he said.
In an important warning to all businesses that put in place data processing agreements – whether in the role as controller or processor under the GDPR – the Belgian authority said it was the responsibility of both the municipality as controller, and the computer engineering company as processor, to ensure the written data processing agreement was in place at the material time. Both the municipality and the company were reprimanded for breaching the GDPR’s requirements in relation to data processing agreements, as well as for breaching other requirements regarding the disclosure of information pertaining to data processing to data subjects.
Walter said the case provides a valuable lesson to all organisations subject to either the EU or UK GDPR.
“While processors have considerably fewer obligations than controllers under the GDPR, they do share the same responsibility for ensuring that data processing agreements are entered into before the data processing arrangements take effect – including, where relevant, in any sub-processing contracts,” Walter said. “The GDPR is clear that any person acting under the authority of the processor, who has access to personal data, shall not process those data except on instructions from the controller in command.”
“Processors face further obligations too, including a requirement to maintain a record of all categories of processing they carry out on behalf of a controller. They must further operate an information security policy that describes and implements technical and organisational measures that enable them to ensure a level of data security appropriate to the risk, and notify the controller without undue delay when becoming aware of a personal data breach,” he said.
“In some cases, processors can also be obliged to designate a data protection officer, comply with rules governing the international transfer of personal data, and cooperate with data protection authorities in the performance of their tasks,” Walter said.