Have Questions About This Guide?
Book a 30-minute call with one of our experts. You’re in safe, experienced hands.
Under the GDPR, if a processor deals with data, then there must be a contract in place which binds the processor and controller.
A data processing agreement is exactly this — a legally binding document between a processor and a controller which follows the rules set out in the GDPR.
The data processing agreement covers data processing as well as the relationship between the parties.
Further, the agreement helps the parties understand their respective obligations and liabilities and should assist them in complying with the GDPR.
The data processing agreement does not need to be drafted as a new and separate document.
Instead, businesses may include a data processing agreement as an addendum or schedule to an existing commercial agreement.
If so, these documents will be referred to as a data processing addendum or data processing schedule. Regardless of how you draft and refer to the agreement, the substance should be the same.
Under the GDPR, controllers must make sure that personal data they handle remains safe and protected.
Similarly, the GDPR requires data processors to implement technical and organisational measures which will protect consumer’s data and keep them compliant with the GDPR.
It is a legal requirement under the GDPR for controllers and processors to have an agreement in place.
However, a controller should not simply rely on the expertise of processors to handle their users’ data since a controller may still be liable for a processor’s data breaches.
Therefore, controller’s should be careful to choose processors which have adequate measures in place to limit the likelihood of data breaches occurring.
Within Ireland, there are a number of steps you must take to respond to a data breach.
This includes:
The data processing agreement should bind the processor to the controller and include essential information such as the:
The data processing agreement should also specify the processor’s obligations, and in particular should set out that the processor:
You can find our data processing agreement template here
If your business collects or processes personal data and you fall under the scope of the GDPR, you will be considered either a ‘controller’ or a ‘processor’.
The GDPR requires a processor to be bound to a controller through a data processing agreement.
This agreement should set out the relationship between the parties and how the data should be processed. A controller should also be aware that they may be liable for a processor’s data breaches.
Consequently, a controller should endeavour to be aware of the processor’s data processes and their level of organisation.
Book a 30-minute call with one of our experts. You’re in safe, experienced hands.