Data processing agreement

What is a data processing agreement and when should you use it?

Under the GDPR, if a processor deals with data, then there must be a contract in place which binds the Processor and Controller.

A data processing agreement is exactly this — a legally binding document between a processor and a controller which follows the rules set out in the GDPR.

The data processing agreement covers data processing as well as the relationship between the parties.

Further, the agreement helps the parties understand their respective obligations and liabilities and should assist them in complying with the GDPR.

Take a look at our guide on the difference between a controller and a processor for a better understanding of the distinction between the two.

The data processing agreement does not need to be drafted as a new and separate document.

Instead, businesses may include a data processing agreement as an addendum or schedule to an existing commercial agreement.

If so, these documents will be referred to as a data processing addendum or data processing schedule.

Regardless of how you draft and refer to the agreement, the substance should be the same.

Our Agreement has been drafted as a separate agreement between the parties.

Under the GDPR, controllers must make sure that personal data they handle remains safe and protected.

Similarly, the GDPR requires data processors to implement technical and organisational measures which will protect consumer’s data and keep them compliant with the GDPR.

However, a controller should not simply rely on the expertise of processors to handle their users’ data since a controller may still be liable for a processor’s data breaches.

Therefore, controller’s should be careful to choose processors which have adequate measures in place to limit the likelihood of data breaches occurring.

Check out our guide on data breaches

What else might you need?

The GDPR specifies numerous provisions that must be contained in the Processor Agreement to ensure protection of data.

You can check what these provisions are here

You can also read our guide on data processing agreements to find out more about them.

Our Agreement envisages no international data transfer.

However, if data is transferred internationally to your processor or the sub-processor and the processor/subcontractor is not part of an approved privacy framework (such as any successor to the US Privacy Shield) or no other safeguard mechanism such as certification  or compliance with a code in place, then you need to put in place standard contractual clauses.