A security company processes contact data of the controller's employees who are authorised to respond to an alarm. Does this type of cooperation require a data processing agreement? The company does not provide video monitoring services; it only responds to an alarm signal.

ANSWER

First, it should be noted that an employee's personal data — i.e. name and surname, job title, business telephone number or business email address — are personal data strictly related to their professional role. They are not treated as private personal data. The employer may therefore pass such personal data to its clients or contractors for contact purposes, and may publish such data on its website, etc.

When passing such employee contact data to a security company that provides services for the controller, there is no need to conclude a data processing agreement for those data. It is however recommended to specify the employees' contact data in the main agreement itself, with an obligation on the security company to maintain confidentiality.

The security company, for its part, should towards the controller's employees fulfil the information obligation under Article 14 GDPR, i.e. indicating the source from which the data originate, while the controller should in the information clause for those employees include the security company as a recipient of data under Article 13(1)(e) GDPR.

If however the employee's contact data do not constitute business data — e.g. a private telephone number is passed, and not a business one — then in that respect it will be necessary to regulate the disclosure in a data processing agreement.