In some cases, the data processing is not carried out by the data controller but is entrusted by the latter to a third party, which takes place under a written contract: data processing agreement.
What are data processing agreements? Who are its parties? Find out about the new obligations of the new Data Protection Lawin relation to the processing of data by third parties.
Law No. 19,628 v/s New Data Protection Law
Law No. 19,628 provide that the data processing agreement must be executed in writing, stating the specific conditions of the use of the data. This brief regulation is being complemented in the new law.
| Law No. 19,628 | Data Protection Bill |
|---|---|
| The data processing agreement is regulated in a general manner, which must be granted in writing and state the conditions of use of the data. Data processor (mandatario or the agent) must observe the terms and conditions of the agreement. | It is specifically regulated. Data processors (mandatario or the agent) must comply with several obligations in the processing of data and delete or return the data once the agreement terminates. |
What are data processing agreements?
The data controller may process data in two manners: (i) directly, by performing all processing activities; or (ii) through a third-party agent or data processor.
In the latter case, the third-party processor must carry out the data processing in accordance with the instructions provided by the controller, being prohibited the processing for a purpose different than the one stipulated by the controller.
The new law indicates that data processing through a third party will be governed by a contract executed between the data controller and the data processor.
Who are the parties to this data processing agreement?
The data processing agreement involves two parties. Generally, it is executed between the data controller (e.g. a company that requires to engage a provider for data processing) and the third party processor or agent (mandatario) (e.g. service provider in charge of managing a company’s data).
Data controller
A controller (responsable de datos) is any individual or legal entity, public or private, who takes the decisions on the purposes and means of the processing of personal data. Pursuant to the data processing agreement, the controller entrusts another person with the management of its data, stipulating the manner in which they should be treated.
Third-party processor
On the other hand, the third-party processor (acting as agent or tercero mandatario o encargado) is the individual or legal entity that processes personal data on behalf of the data controller. The data processor must carry out this task in accordance with the instructions of the data controller, as specified in the data processing agreement.
Key terms and conditions of the data processing agreement
According to the new law, this agreement must state: (i) the purpose of the commission, (ii) the duration, (iii) the purpose of the processing, (iii) the type of personal data processed, (iv) the categories of data subjects to whom the data pertains, among others.
The Agency shall make available to the public templates for data processing agreements on its website.
The data processor must comply with other obligations set forth in the new law, including security measures.
Finally, the new law states that upon completion of the processing service by the data processor, the data in its possession must be deleted or returned to the data controller, as applicable.