My consultancy will be collecting data from organizations. The data will be kept in Google Cloud which complies with GDPR regulations. We are using 3rd party software to process the data and in the future we want to anonymize this data to ensure that we can keep building models on top of it. With that being said, do we need to send a GDPR agreement to the organizations we are collecting data from? Or is this not necessary if an agreement since we will be collecting this information?
You’ll need to enter into a data processing agreement (DPA) with your clients for the processing activities of personal data where you act as a processor, i.e. for the activities that you carry out on behalf of your client. The DPA needs to be in line with Art. 28 GDPR.
When you act as a processor for a certain processing activity, it does not matter if you or the controller collect the personal data – you are still the processor and carry those activities out as defined in the DPA.
If you carry out processing activities that are not in line with the DPA and the instructions of the controller (i.e. you decide the means and purposes of the processing), you act as a controller for the data. This may be problematic since you need to comply with obligations for controllers under GDPR.
Henk van Leussen
And what exactly is your question?