Dataprocesing agreements required: Does your company know the dataprocessing guidelines used by your IT-supplier, businesspartners and others you exchange data with?
Most companies use an external IT-supplier or businesspartner, whom it exchanges data with. However, the company is responsible for the data, and therefore has some obligations according to the Act on Processing of Personal Data. Significant attention should be payed to the IT-supply agreements. Among other things, there has to be an dataprocessing agreement, and the company is obligated to monitor the security at the used the supplier.
The Danish Data Protection agency once again has focus on the missing dataprocessing agreement, and has initiated lawsuits against Brøndby Kommune and Glostrup Kommune, after the media revealed that they didn't have any dataprocessing agreements with their external suppliers to the Jobcenters of the municipality, and that they didn't monitor the security at the used sub-suppliers.
Comments from Labora Legal:
Labora Legal notices that it is important to be in control of the data. This includes where the data flows to and stores. One of the most important steps to take to secure the data is to have a solid contractual basis; IT-security and personal data may not be compromised. As a company you can have many dataprocessors, sometimes in multiple links. This makes it extra necessary to have clear agreements with the dataprocessors and simple control processes in regard to the use of sub-suppliers requirements regarding information on IT-security breaches, deleting after expiration of agreement and other requirements to good dataprocessing.
Labora Legal recommend, that the companies examines if there are the dataprocessing agreements there need to be, in regard to IT-suppliers etc., secondly if the contents of the agreements comply with the requirement in the Act on Processing of Personal Data. Other collaborations should also be examined, whether data flows to the businesspartner, and to which extent this is necessary, and whether these data are secured by agreement.