This fall, the Belgian data protection authority issued a decision reinforcing the importance of having data processing agreements in place at the time of any data transfer or processing. The decision declared retroactive data processing agreements invalid and insufficient for GDPR compliance.

The decision resulted from a complaint filed in September 2020 by a man (whose identity was kept anonymous) who received a parking fine from a public authority. The man learned that a third-party service provider was processing his personal data to establish and collect the fee, and that there was no data processing agreement between the public authority and the third-party service provider at the time the penalty was issued. However, several months later, the public authority and the third-party service provider executed a data processing agreement with a retroactive date to the effective date of the GDPR on May 25, 2018 – years before the issuance of the parking fine.

On May 11, 2023, the Inspection Service of the Belgian data protection authority found that the public authority, as the data controller, and the service provider, as the data processor, were in breach of Article 28.3 of the GDPR because no data processing agreement was in place at the time of the personal data processing. Article 28.3 states that “[p]rocessing by a processor shall be governed by a contract . . . that is binding on the process with regard to the controller and [] sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.” The Article also delineates specific contractual provisions that should be contained in data processing agreements, including that processors process personal data only on documented instructions from controllers, that processors have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, that processors delete or return all personal data after the end of the provision of services, and more.

The Litigation Chamber of the Belgian data protection authority issued its decision on September 29, 2023, upholding the Inspection Service finding that the public authority and third-party service provider had violated Article 28.3 of the GDPR. The Chamber’s decision that both controllers and processors are responsible for ensuring a compliant data processing agreement is in place, and that both entities can be fined for a failure to do so, is a particularly significant finding for third-party service providers who often rely on their customers to address data protection requirements. In addition, the Chamber found that retroactive clauses meant to capture past processing activities are not sufficient to guarantee the rights and freedoms of data subjects.

The Belgian data protection authority’s decision reiterates and reemphasizes the importance of data processing agreements to business arrangements that contemplate the transfer or processing of personal data, whether a business is engaging a vendor or acting as one. Every business entity should perform its due diligence to determine whether a data processing agreement is appropriate for its business relationships and, if applicable, that any such agreement complies with GDPR requirements.

The earlier a business addresses a data processing agreement requirement, the better. Waiting could create additional risks for data processed by a third party while no agreement is in place.

The Constangy Cyber Team assists businesses of all sizes and industries with implementing necessary updates to their privacy and compliance programs to address these complex and evolving developments. If you would like additional information on how to prepare your organization, please contact us at cyber@constangy.com.