3. Agree on processing

If the hobby organiser uses a third party for the processing of personal data, the organiser must ensure that a written processing agreement is signed with them. Making an agreement ensures that the controller’s obligations will be fulfilled also when the personal data is being processed by a third-party processor on behalf of the hobby organiser.

Before drawing up the agreement, you should define the roles related to the processing: who is the controller and who the processor processing data on behalf of the controller. For example, a payroll clerk who calculates and pays the wages of club employees can be a processor. In this situation, the hobby organiser is the controller, since it determines who receives wages and on what grounds.

The controller can only outsource the processing of personal data to processors that have adequate safeguards in place for ensuring data security.

Example

A judo club uses a third-party IT provider’s ERP system for processing club members’ personal data. The IT provider is the processor of the personal data being processed in the system, while the judo club is the controller. The club makes a written agreement with the IT provider on the processing of personal data in the ERP system so that it can make sure that the IT provider follows the club’s data protection policies and fulfils its obligations related to the processing.

In the agreement, the controller and processor agree on how the processor must process and secure the personal data. The agreement must specify the object and duration of the processing, nature and purpose of the processing, type of personal data and groups of data subjects, as well as the controller’s obligations and rights. The processor must also ensure that its employees with access to the personal data only process it according to the controller’s instructions.

Remember

Draw up processing agreements with third-party processors who are processing personal data on the hobby organiser’s behalf.