I have been in touch with my consultancy agency. Their legal counsel has instructed them to establish dataprocessing agreements between the agency and their consultants - all freelancers with own business registrations.
One of the Agencys clients has asked for a dataprocessing agreement, and this has fueled the discussion.
I do not find any use or legal background for this. There is no chain, as the agency does not process any data, or transport data other than the contact information. The consultant may have access to PII, but under the security regime of the client, working on an NDA?
They even talk about ISAE3402 for all businesses connected to the agency as consultants. This will be quite costly having x hundred individuals paying for an ISAE.
What's your take on that?
Compliance and InfoSec Consultant