AVG, GDPR, Wbp, do these terms sound familiar to you? Since 25 May 2018, or actually already now, the new Privacy legislation has to be cut for you. Still need some help? In this blog we will explain you more about the new AVG legislation and the purpose of an AVG processor agreement. Wondering if you need such an agreement for your organization? Then read on.
Let’s refresh your memory first. Since 25 May 2018 the General Data Protection Regulation (AVG) comes into effect. The AVG is also known under the English name: General Data Protection Regulation (GDPR). 3 The current Dutch Personal Data Protection Act (Wbp) no longer applies, but will be replaced by a Dutch AVG implementing act.
Previously, every Member State in the European Union (EU) has its own privacy legislation. These national laws are based on privacy guidelines that date back to 1995. Then the the world wide web was still in its infancy (remember: dialing in to a modem, a nagging mother next to you because she could not call and Altavista). We do not have to tell anyone that a lot has changed since then on the internet. The current regulations are no longer sufficient and that is why the AVG comes into effect.
New Privacy Legislation
What will change for me by the new Privacy Act do we hear you think?
- In the AVG legislation, privacy rights are strengthened and extended. We gain more control and protection of personal data in this digital age. Two important new rights include:
1. Right to forgetfulness; people are given the right to be ‘forgotten’ online.
2. Right to data portability; people are given the right to transfer personal data.
- According to the AVG law, organizations that process personal data also have more responsibilities. For example, organizations have an obligation to provide information, which means that they must clearly inform their customers about why they collect the personal data and what they do with it. For example, through an online privacy statement.
- Finally, European privacy regulators have the authority to impose fines of up to 20 million euros.
In short, the AVG privacy law has a lot of feet in the earth. Because As of May 25, 2018, your entire business operations must be adjusted to the AVG. It therefore forces you to think carefully about how to deal with people’s data. How do you process and protect it? And do you comply with the AVG rules? Be aware and prepare for a lot of red tape!
Have you already thought about a processing agreement for your organization, for example?
Processors’ agreement AVG
If your organization outsources the processing of personal data to a third party, then according to the GDPR legislation a processor agreement must be drawn up. The processor agreement must explicitly describe the exact agreements between the controller (you) and a processor (the third party). If this is not recorded correctly, both parties risk a hefty fine and the processor is liable for any possible damage that may occur. Of course you want to avoid this at all times.
What is in a processor agreement?
The processor agreement must, inter alia, specify the following matters:
- The subject of processing;
- The duration of processing
- The nature of processing
- The purpose of processing;
- The type of personal data that is stored
- The way in which a data breach is to be handled
- More information about the rights and obligations of the controller.
Also in the processor agreement must be stated that the processor the personal data is not used for other purposes. Other important things are that the processor:
- is strictly confidential,
- directly deletes or returns the personal data after the processing services have ended,
- helps to comply with requests from data subjects when it comes to their privacy rights. The processor will therefore have to be able to comply with requests such as the right to inspect, correct, forget and postpone data.
A processor agreement must be drawn up in, among others, the following situations:
- If a third party arranges the hosting of your website
- If a third party has access to the back-end of your website
- If you outsource your personnel administration.
- A cloud service provider that stores your customer data
The difference between a processor agreement and a processor agreement
There is some ambiguity about the difference between a processor agreement and a processor agreement. The difference is that a processor agreement was previously used under the Personal Data Protection Act (Wbp). With the arrival of the new AVG legislation, both the content and the name of this document have been supplemented and adapted! So since 25 May 2018 we no longer speak of a processor agreement, but of a processor agreement. So you can not get away with it simply to keep your old processor agreement or give it a new name.
Support for the introduction of the AVG in your organization?
Hopefully you have already gained some insight in the new GDPR legislation through this blog. We can well imagine that the introduction of these regulations is a big chunk and you sometimes no longer see the forest through the trees. No worries! The Red Banana AVG team is happy to help you with this. On the basis of our AVG step-by-step plan, we take from A to Z what needs to be done to introduce the AVG in your organization in the right way and we give you tailored advice! We can also offer support when drafting a processor agreement. In collaboration with our partner Asselbergs and Klinkhamer Advocaten, we ensure that your organization meets the new AVG accurately and you do not end up with unexpected surprises!
This article was written in collaboration with Red Banana. If you want to know more about this please contact us .