Lessons from Recent GDPR Ruling: No Retroactive Application for DPAs
by Delia Ene | Published in Resources
In a recent decision from the Belgian Data Protection Authority, it was highlighted how vital it is to have timely and clearly documented data processing agreements.
The response from the community and experts highlights the importance of a well-organised method for managing compliance documentation, which further emphasises proactive steps over reactive solutions.
Below are the main points to take away from both the ruling and experts' opinions:
Secure personal data processing agreements that are signed and dated in line with contract dates
This is a practice that might not be as widespread as previously believed. The implied warning serves as a reminder that taking a proactive approach is essential and highlights the significance of keeping detailed records.
Adopt structured compliance practices
Privacy professionals clearly need a methodical way of identifying and managing necessary documents. This discourages the risky dependence on random discoveries during critical moments.
It’s therefore important to have an organized system to track essential compliance documents.
Take action with suppliers
Another point is that privacy professionals and their legal counterparts urgently need to assess and verify current agreements with suppliers. One solution is to add chapters about data processing and - if anything is missing - at least sign addendums to include important clauses later on, which would improve compliance in the future.
Regularly review agreements
As with many things in compliance, data processing agreements are not a “set and forget” matter. Regularly review agreements and conduct thorough checks with data processors. This focus on careful monitoring is meant to guarantee continued adherence to the agreed-upon GDPR (or other regulations) terms, thereby ensuring a strong system of compliance.
This case is a strong reminder that data processing agreements should be strict and well-documented. It emphasises the need for proactive and comprehensive compliance management within the GDPR framework.
More info
- The decision of the Belgian authority (in French)
- Expert analysis by Pinsent Masons
