Penrose advocatenkantoor in Amsterdam
Penrose Privacy afbeelding

Privacy statements, processing agreements and cookies

  /    /  Privacy statements, processing agreements and cookies

Welcome to Penrose Privacy statements

Penrose specialises in Dutch and EU privacy laws. We prepare and draft Dutch law privacy agreements, cookie statements and privacy policies for websites and for a broader corporate purposes. We also assist Dutch companies and their international stakeholders with internal and external audits and privacy compliance procedures. Please read more about this in the section hereafter.

Others also searched for:

The GDPR primarily imposes rules on the organisation identified as the data controller. This organisation establishes the purpose and means for processing the personal data. In other words, it is the organisation that determines what is going to happen to the personal data and how.

However, establishing whether an organisation is a controller or a processor is not always straightforward. When you instruct another party to process personal data, it does not necessarily mean that the other party is a ‘processor’ simply because the processing is carried out on your behalf. It is also possible for the other party to obtain personal data from a controller so that the other party can provide a product or service to the data subject to whom the data belongs. In this case, the other party is a joint controller, because the other party itself establishes the purpose and means of processing the personal data.

If you are the one who decides what will happen with the personal data and how, there is a data controller – processor relationship. This could include, for example, having the personnel and payroll administration carried out by another party, or outsourcing the organisation’s IT environment.

When making use of data processors, certain arrangements need to be set out in writing in a ‘data processing agreement’.

A privacy statement can be used to inform website visitors, app users and other users or buyers of products or services about how an organisation processes the personal data relating to them.

A privacy statement must include at least the following:

            • the contact details of your organisation (identification of the controller);
            • the purposes for which the personal data has been collected and processed;
            • whether the data is shared with third parties and/or to countries or companies outside of the EU;
            • the rights of the data subjects (e.g. right to access, to rectification, to be forgotten, to object).

Penrose’s privacy lawyers can advise you specifically on how to draw up and implement a privacy statement.

If you as an organisation engage another party to process personal data on your behalf, the GDPR requires that arrangements in this respect are made in writing in the form of a ‘data processing agreement’. This is required, for example, when an organisation outsources its payroll administration or certain IT facilities.

What should a data processing agreement contain?

The data processing agreement sets out how the third party (the ‘processor’) should deal with the personal data of the organisation (the ‘controller’). It must at least state:

  • what types of personal data are being processed and for how long;
  • the nature and purpose of the processing;
  • the technical and organisational measures to protect the security of the personal data.

The data processing agreement also often covers:

          • the processor’s obligations, such as (i) processing only in accordance with the controller’s instructions, (ii) confidentiality, (iii) responsibility when engaging third parties (‘sub-processors’), (iv) cooperation so that the controller can comply with legal obligations, e.g. in the event of data breaches, when data subjects exercise their privacy rights, or when performing a data protection impact assessment (DPIA);
          • the right of the controller to audit whether the processor is acting in compliance with the data processing

If your organisation uses ‘cookies’, beacons, pixels or other technologies on its website, mobile website or application, you will have to inform the user or visitor thereof. Cookies are small text files stored on a computer or tablet when the user visits a website, mobile website or application.

Some cookies, such as third-party tracking cookies, may only be placed after the user or visitor has given consent to do so. The GDPR explicitly states that cookies fall within the scope of GDPR because cookies can be (indirectly) used to identify individual persons. This means that consent must be obtained in accordance with the rules of the GDPR. A cookie statement allows organisations to inform visitors about which cookies are used, for which purposes and for how long they are valid.

Penrose employs lawyers specialised in privacy statements, data processing agreements and Cookie statements, who are pleased to assist you and answer your questions. The contact details of our Privacy specialist is given here.

Our Privacy
Chantal Bakermans portret
Attorney at law, Partner