Training company: data processing agreement?

ANSWER

Two basic models are distinguished for organising employee training in cooperation with external companies: closed and open. Closed training consists of a training provider sending a trainer to train a specific group of persons designated by the employer. In such a situation, the employer, as controller of the data of persons it employs, determines the purpose (which is to train employees) and the means of processing their personal data, including by choosing the company that is to conduct the training. The employer, i.e. the data controller, discloses, i.e. entrusts, its employees' data to the training company as processor so that it processes them on behalf of and for the employer, in accordance with its instructions. This relationship should be regulated by a data processing agreement containing the elements indicated in Article 28 GDPR. Open training, by contrast, is training organised entirely by an external entity. Such training is not dedicated to employees of only one company, and essentially anyone may register. Data are then most often collected directly from the employee or with limited involvement of the employer (for example: the employer, paying for training for a few of its employees, passes the company information on their number and — by necessity — their place of employment, while all data necessary to obtain a certificate are provided by the employee independently). All organisational matters then lie with the training company, including decisions on what participants' personal data to process, how to store them, to whom to disclose them, and when to delete them. In this model, the training company will be a separate controller of training participants' data. In summary, if an entity passes to another entity all personal data of employees necessary to conduct training, and this is so-called closed training dedicated only to specified employees of a given entity, a data processing agreement should be concluded.