Data protection in commercial practice
An important distinction is made between privacy policies and data processing agreements. Privacy
policies ensure data transparency towards data subjects and are very important in practice as they
tell people what you’re going to be doing with their data. The GDPR encourages you to use average
language that actual people will understand so try to avoid jargon and be as brief as possible. Data
processing agreements are contracts that are principally concluded between controller and
processor, so in a business to business context, applying to:
I. Controller to controller agreements, where you’re transferring data from one organization to
another but each are processing data for their own purposes and means.
II. Controller to processor environment, where as a company you’re using a service provider to
process the data for your own benefit and own instructions.
In data processing agreements, a lot more work has to be done here and more attention is paid to
details.
Drafting a data protection clause
You’re going to hand over data to an external hosting (analytics) company. They will take a look at it
and hand it back over to us in order to have a better understanding of the market. A written
agreement on the how and why needs to be drafted for the processing to be done.
The learning stage makes clear not to start negotiating if you don’t have all the answers to the
questions yet. Don’t say that you have you template and start working on that already and figure out
what the issues are later on. Stop for a moment and check whether you have all the vital
information. Always ask for data and not for personal data to prevent the discussion on what
personal data is. Where is the data located, where did it come from and where it will be transferred
to? Who can access the data, who is using it right now, who will in the future, what they will be doing
with it for which purposes and how it will be stored.
In the drafting of the agreement stage there is essential information that needs to be contractually
fixed to know how the work will be organized. Clarify who is acting as a controller, whether there is a
processor, whether there is a co-controllership and where the allocations of responsibilities happen.
The security measures to protect data against breaches and incidents need to be well fixed.
Moreover, you need to implement necessary implementation instruments, such as whether a DPO
will be appointed, how they will address data breaches and which controls are implemented to
ensure that staff is appropriately trained.
The evaluating stage entails that you need to make sure that the final agreements and relevant
documents are properly documented, such as that you can find it again in case of an incident. There
need to be procedures in order to make sure that incidents can be identified, a system needs to be in
place to ensure questions that people might come across. They need to know where to find you,
otherwise they will operate on their own instincts which will not turn out positively in practice.
Finally, sanctions need to be included in case contracts are breached.
Law: the rules and what they really mean in practice
The notion of personal data as laid down in the law is very obvious, but in practice it hardly ever is
like that. It will evolve around the notion and you’ll get cases in which it is very unclear whether
something is personal data or not. For example; when trying to anonymize data, people often
remove the most obvious links and assume that it’s sufficient. They do so as then they don’t need to
An important distinction is made between privacy policies and data processing agreements. Privacy
policies ensure data transparency towards data subjects and are very important in practice as they
tell people what you’re going to be doing with their data. The GDPR encourages you to use average
language that actual people will understand so try to avoid jargon and be as brief as possible. Data
processing agreements are contracts that are principally concluded between controller and
processor, so in a business to business context, applying to:
I. Controller to controller agreements, where you’re transferring data from one organization to
another but each are processing data for their own purposes and means.
II. Controller to processor environment, where as a company you’re using a service provider to
process the data for your own benefit and own instructions.
In data processing agreements, a lot more work has to be done here and more attention is paid to
details.
Drafting a data protection clause
You’re going to hand over data to an external hosting (analytics) company. They will take a look at it
and hand it back over to us in order to have a better understanding of the market. A written
agreement on the how and why needs to be drafted for the processing to be done.
The learning stage makes clear not to start negotiating if you don’t have all the answers to the
questions yet. Don’t say that you have you template and start working on that already and figure out
what the issues are later on. Stop for a moment and check whether you have all the vital
information. Always ask for data and not for personal data to prevent the discussion on what
personal data is. Where is the data located, where did it come from and where it will be transferred
to? Who can access the data, who is using it right now, who will in the future, what they will be doing
with it for which purposes and how it will be stored.
In the drafting of the agreement stage there is essential information that needs to be contractually
fixed to know how the work will be organized. Clarify who is acting as a controller, whether there is a
processor, whether there is a co-controllership and where the allocations of responsibilities happen.
The security measures to protect data against breaches and incidents need to be well fixed.
Moreover, you need to implement necessary implementation instruments, such as whether a DPO
will be appointed, how they will address data breaches and which controls are implemented to
ensure that staff is appropriately trained.
The evaluating stage entails that you need to make sure that the final agreements and relevant
documents are properly documented, such as that you can find it again in case of an incident. There
need to be procedures in order to make sure that incidents can be identified, a system needs to be in
place to ensure questions that people might come across. They need to know where to find you,
otherwise they will operate on their own instincts which will not turn out positively in practice.
Finally, sanctions need to be included in case contracts are breached.
Law: the rules and what they really mean in practice
The notion of personal data as laid down in the law is very obvious, but in practice it hardly ever is
like that. It will evolve around the notion and you’ll get cases in which it is very unclear whether
something is personal data or not. For example; when trying to anonymize data, people often
remove the most obvious links and assume that it’s sufficient. They do so as then they don’t need to
