A data processing agreement (DPA) does not apply to eHerkenning.
eHerkenning providers, such as [Digidentity](chatgpt://generic-entity?number=0), act as independent data controllers within the meaning of the General Data Protection Regulation (GDPR).
Why is no data processing agreement required?
A data processing agreement is only required when one party processes personal data on behalf of another organisation. This is not the case for eHerkenning.
This is because eHerkenning providers:
-
Determine the purpose and means themselves
For example, for identity verification, authentication, and security. -
Operate based on legal obligations
Providers must comply with strict rules within the eHerkenning framework. -
Do not act solely on behalf of your organisation
Personal data is processed as part of their own independent role.
What does this mean for your organisation?
This means that both your organisation and the eHerkenning provider have their own separate responsibilities for processing personal data, each for their respective part of the service.
For more information on how Digidentity processes personal data, please refer to our privacy statement and terms and conditions.