The requirements of the data protection regulation for the content of data processor agreements are essentially more comprehensive than the requirements of the present Personal Data Act. The Data Protection Agency has prepared a template data processor agreement fulfilling the minimum requirements of the regulation and an accompanying text explaining how to use the template. You will find a link to the template and the accompanying text below.
Before concluding a data processor agreement, you should carefully consider whether an agreement is required at all. For instance, if personal data are being transferred from one data controller to another data controller, you are not required to conclude a data processor agreement. Instead, such transfer must be subject to a separate processing authority. In November 2017, the Data Protection Agency published guidelines concerning data controllers and data processors. The guidelines list a number of factors and principles, including practical examples, which may be useful when assessing the need for a data processor agreement.
The data protection regulation will come into force on 25 May 2018. It is our experience that it may take some time to conclude the required data processor agreements that fulfil the requirements of the regulation. Companies, authorities and other organisations should therefore start their preparations to ensure that they are ready for 25 May 2018. We would be pleased to assist you with an assessment of your needs and the drafting of a data processor agreement.