Copy me

A big part of GDPR concerns keeping track of what you do via written documentation. In previous posts, we discussed the different roles, responsibilities they have, and under which types of legal basis you can process data. All of this needs to be documented by the controllers and processors, so they can actually show how and why they are processing the data.

Picture of the autor Rutger Buijzen

Rutger Buijzen

Chief Technology Officer

The basis of this register is the Data Processing Agreement (DPA) which is a contract between a controller and a processor, or a processor and a sub-processor. This outlines which data can be processed, in what way, and all other conditions regarding the processed data. To be fully compliant with GDPR, the DPA between a processor and a sub-processor should contain the same conditions as the DPA between the controller and the processor.

In practice, this is kind of impossible in some cases, especially when dealing with larger companies. It's not very easy to ask Facebook or Google to change their DPA to be in line with the DPA you've signed with your controller. The GDPR isn't clear on how you should handle this kind of situation right now, but this will probably clearer after a couple of months.

So what does this have to do with you?
You need to be able to identify if you’re going to process a new kind of personal data or are going to let a new 3rd party process your data. If this is the case, you need to get it registered and approved. To make our lives easier, there are digitized registers available on the market.

Upcoming topic: we're going to check which kind of personal data there actually are and how you can identify them.