A processor agreement is concluded between a controller and a processor. The company that determines the purpose and means of using the personal data is the controller. The company that does the final processing of the personal data is the processor. If the controller is outsourcing the processing to another company, he is obliged to conclude a processor agreement. This obligation also applies to the processor.

The processor agreement prescribes the purpose and the method for processing. The processor must strictly follow this, he may not start processing in any other way or for a different purpose. The controller checks this, a standard part of the processing agreement is therefore the possibility of (having) performed (annual) audits.

One of the key points of the processing agreement is to guarantee sufficient measures with regard to the security of personal data. This can vary per case: the level of protection must be proportional to the data to be processed. These measures can be divided into technical measures and organizational measures. An example of a technical measure is the encryption of personal data. An example of an organizational measure is to give staff only limited access to personal data.

Elements of the processor agreement:
• which (type of) personal data are processed;
• how and for what purposes the personal data is processed;
• the relevant technical and organizational measures;
• to which parties the personal data can be provided and under which conditions this can be done;
• the possibility of audits;
• procedures regarding data breaches;
• the rights of the person to whom the personal data relate and how they are followed up;
• when and how the data will be deleted.