Personal data processing agreement
FORMAL ANSWER
A controller may use a processor to process personal data on its behalf under a written contract. The processor may process data only within the scope and for the purpose provided for in the agreement. It must also meet the data processing security requirements and bears the same responsibility for security as the controller.
PRACTICAL ANSWER
The most common example of processing agreements is entrusting data held on a hosting server, i.e. with providers of virtual disk space, and less often with organisers of competitions, conferences or training. There are no restrictions on the category of entity with which a processing agreement may be concluded, so companies offering personal data outsourcing also fall into this category. Unfortunately, the organisation does not shed responsibility for personal data, as it remains the controller and is still accountable for them.
MORE:
- You can download a sample processing agreement from our article: Personal data processing agreement compliant with the GDPR (update)


