Dutch DPA Investigates the Data Processing Agreements of 30 Organizations
Time 2 Minute Read
Categories: European Union, International

On January 16, 2019, the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens (the “Dutch DPA”), announced that it had requested 30 private organizations provide information about the agreements they have with other entities that process personal data on their behalf. The Dutch DPA indicated that the targeted organizations are mainly in energy, media and trade sectors.

Article 28 of the EU General Data Protection Regulation (the “GDPR”) requires data controllers enter into data processing agreements with data processors. These agreements must specify how personal data should be processed and protected. In particular, data processing agreement must stipulate the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, the obligations and rights of the data controller, and how personal data should be protected by the data processor.

Since the GDPR came into force on May 25, 2018, the Dutch DPA regularly verifies whether organizations comply with its legal requirements. The Dutch DPA has previously investigated whether governmental organizations, hospitals, insurance brokers and banks had appointed a data protection officer, for example, and verified that large private organizations, as required under Article 30 of the GDPR, were keeping a record of their processing activities.

View the press release (in Dutch).

Tags: Data Controller, Data Processor, Data Protection Authority, GDPR, Netherlands
Print Email Twitter/X Linkedin Facebook

You May Also Be Interested In

Time 2 Minute Read
Data Protection Authorities Globally Highlight Privacy Issues in AI Image Generation

On February 23, 2026, a Joint Statement on AI-Generated Imagery was published by 61 data protection authorities. The Joint Statement addresses concerns regarding AI systems capable of generating realistic images and videos depicting identifiable individuals without their knowledge or consent.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 3 Minute Read
Indiana Privacy Law To Take Effect January 1, 2026

Indiana’s comprehensive consumer privacy law, the Indiana Consumer Data Protection Act, is set to take effect on January 1, 2026. In advance of the law’s effective date, the Indiana Attorney General’s Office has published a Consumer Bill of Rights that provides guidance to both consumers and businesses.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 5 Minute Read
EU Digital Omnibus Introduces a Single Reporting Point for Cybersecurity Incidents

On November 19, 2025, the European Commission unveiled the much-anticipated digital omnibus legislative package (the “Digital Omnibus”), setting the stage for a new era of digital governance and regulatory simplification across the European Union. According to the Commission, this initiative is designed to enable European businesses to devote more energy to innovation and growth, rather than navigating complex compliance landscapes.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
Council of the European Union Adopts New Rules to Boost Cross-Border GDPR Enforcement

On November 17, 2025, the Council of the European Union adopted new rules designed to strengthen cooperation among national data protection authorities, enhancing the enforcement of the EU General Data Protection Regulation.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page