Amsterdam University of Applied Sciences

Processing agreement

The GDPR stipulates that if the AUAS contracts an external party to process personal data, the processing carried out by this processor must be governed by an agreement or otherwise binding legal act. Under the Dutch Personal Data Protection Act (Wet Bescherming Persoonsgegevens), this agreement was alos called a processing agreement.

A processing agreement should at minimum specify the following:

  • the subject matter and duration of the processing;
  • the nature and purpose of the processing;
  • the type of personal data and the categories of data subjects;
  • the rights and obligations of the controller.

The agreement should additionally stipulate that the processor:

  • will only process the personal data according to your documented instructions, including with regard to transfers of personal data to a third country or an international organisation (unless the processor is legally required to do so);
  • will ensure that access to the data is restricted to authorised persons. These persons must have committed themselves to confidentiality on the basis of an agreement or a statutory obligation;
  • will apply at least the same level of security for the personal data as you do;
  • will assist you, insofar as possible, in ensuring compliance with your obligation to respond to requests from data subjects wishing to exercise their rights;
  • will assist you in ensuring compliance with your obligations relating to personal data security and the requirement to report data breaches;
  • will delete or return to you all the personal data processed on your behalf after the agreement between you and the processor has ended, and will delete existing copies of such data;
  • will make available to you all information necessary to demonstrate compliance with the obligations laid down in the GDPR concerning the use of a processor and to allow for audits;
  • will make agreements with respect to sub-processors.

The AUAS has a model processing agreement (only in Dutch) which you can use. This model includes all required elements. Some parts must still be filled in, namely the information that is specific to the processing activity.

You can determine the power to sign as follows:

  • If the processing agreement is part of another agreement (e.g. a cooperation agreement in a consortium), those who have signed the other agreement may also sign the processing agreement.
  • If it is a stand-alone processing agreement, you can consult the Authorisation Regulations ('Procuratieregeling', only in Dutch). See especially the table at the back for a quick general overview of authorisations.

If a third party provides you with a processing agreement, you can review it using the Processing agreement checklist (only in Dutch).

If you have any questions or would like assistance in concluding a processing agreement, please contact Legal Affairs.

Whenever you conclude a processing agreement with a third party, it must be recorded in the Privacy Perfect register of processing activities. Send a scan of the signed processing agreement to: fb-privacyperfect@hva.nl.

Published by  Legal Affairs 10 March 2021