Data governanceAgreeing on how to process data

At Schiphol we value a clear and transparent policy that details how we handle personal information. The General Data Protection Regulation (GDPR) requires a written agreement before any personal data can be shared between parties.

The data processing agreement is a legal agreement that sets the terms for how personal data will be processed.

It outlines:

• subject matter and duration of the processing;

• nature and purpose of the processing;

• type of personal data to be processed;

• categories of data subjects;

• rights and obligations of the controller.

• The purpose of the processing The processor agreement makes clear what purpose the processing of the personal data has.

• Method of processing The responsible party (not the processing party) must clearly state how the processing must take place. This prevents an external party from processing personal data in a way that has not been agreed upon by the parties involved.

• Confidentiality The processor must keep confidential any sensitive data that it receives. The processor agreement therefore usually contains a confidentiality statement. The processing party hereby declares that it does not disclose personal information, or provide it, to others.

• Agreements concerning possible subcontractors If an external processor outsources some of the activities to another party, clear agreements must be made.

• Security measures All parties agree and detail which security measures are taken. This ensures that data will not be exchanged with parties outside of the agreement.

• Duration of processing The processor agreement must provide clarity about the duration of the processing. In other words: when does the processing end and when should personal data be deleted?