Voting is now open!
Members, make your selections in the annual (ISC)² Board of Directors election. Vote Now! Voting is open until Sept. 22.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Newcomer II

Dataprocessing agreeements

I have been in touch with my consultancy agency. Their legal counsel has instructed them to establish dataprocessing agreements between the agency and their consultants - all freelancers with own business registrations.

One of the Agencys clients has asked for a dataprocessing agreement, and this has fueled the discussion.

I do not find any use or legal background for this. There is no chain, as the agency does not process any data, or transport data other than the contact information. The consultant may have access to PII, but under the security regime of the client, working on an NDA?

They even talk about ISAE3402 for all businesses connected to the agency as consultants. This will be quite costly having x hundred individuals paying for an ISAE.

What's your take on that?


Compliance and InfoSec Consultant
1 Reply
Newcomer I

Re: Dataprocessing agreeements

My thoughts.


if you are contracted directly with the end client not via the agency then the data protection clauses should be in there so yes what is being asked for is not necessary.


If the agency handles the contract then you are effectively a third party to the agency.  Under the GDPR they would then need to ensure you are contracted with them to have the same data protection security requirements as they would be contracted to deliver.


hope this helps.