GDPR agreement

We have a model GDPR agreement of the legally required written agreements, available for download, which the 'controller' has to make with the 'processor' who processes personal data before the controller. The obligations resulting from the General Data Protection Regulation (GDPR) are incorporated herein.


Controller and processor

In the privacy regulations, such as the Personal Data Protection Act (Wbp), a distinction is made between responsible. and a processor. The controller is the one who determines the purpose of and the means of processing personal data and the processor is the one who determines the purpose of and the means of processing personal data. processed on behalf of the data controller without being subject to his direct authority.

Each organization processes personal data for its own purposes (such as volunteers, members, etc). The organization is responsible for this processing. As a service provider for third parties If this service provider processes personal data, such as Deployment Schedule, then this service provider shall be deemed to be the processor vis-à-vis the principal for these processing operations.

The responsible party must comply with all privacy regulations. In particular, the processor must comply with the (written) instructions. of the data controller and may not use the personal data for its own purposes.

Legal obligation

If an organization outsources work in which personal data is processed by the service provider, such as in Deployment Schedule, the following will apply the outsourcing organization must conclude a GDPR agreement with the service provider. This obligation arises from Section 14 subsections 2 and 3 of the Wbp. The Dutch Data Protection Authority (or College Bescherming Persoonsgegevens) has indicated in Chapter 4.2 of the CPVO Guidelines on the Security of Personal Data that which agreements should in any case be included in a processor's contract. These agreements are incorporated in this model contract.

General Data Protection Regulation (GDPR)

The gdpr was adopted in May 2016 and has applied since 25 May 2018. From now on, all organizations must comply with the provisions of the GDPR External link. Article 28 paragraph 3 GDPR contains the agreements which must in any case be laid down in a written agreement between a responsible party and the processor.

Principles for this model

This model is based on the inclusion of appendices in which the specific agreements between the parties have to be filled in. The model is written from the perspective of the processor, taking into account the requirements that the person responsible must meet.

GDPR agreement available for download

As an administrator you can download a GDPR agreement which you can find on the management page page under the heading 'documentation'.