Sample GDPR Data Processing Agreement Template


Whether you're a data controller, a data processor, or both, it's important to understand data processing agreements and have them in place when need be.

These contracts ensure that all parties involved are properly handling personal data, primarily laying down requirements for data processors to meet before they are trusted with the data provided by the data controller.

If you don't know already, under the GDPR a data controller is essentially the owner of the personal data in question. The data controller likely collected the data and determined how and why it will be processed. Data controllers often utilize data processors to assist them with a variety of tasks.

In order to ensure that the data processor handles the data controller's data properly, a data processing agreement is drawn up.

The GDPR actually requires data controllers to have adequate data processing agreements in place whenever they utilize a data processor, though even before the GDPR these contracts were vital to protecting data controllers and their data subjects.

The GDPR sets some guidelines for what must be included in a data processing agreement, which we will discuss later in this article.

Do I need a data processing agreement?

If you are asking this question, then you probably do.

Essentially, if you share personal information with a data processor in order to carry out a task, you should have an agreement in place with that data processor.

Some large data processors will have contracts that they use with all of their clients that could be adequate for this purpose, but it would be wise to ensure that this contract protects you from your point of view and is not simply for the benefit of the data processor. Doing this could leave you vulnerable in certain situations.

The GDPR sets the groundwork for minimal requirements that should be included in every data processing agreement. These requirements are geared primarily toward ensuring that data subjects are protected by a system of checks and balances between the data controller and data processor, but these guidelines also offer several layers of protection for all parties involved.

While a data processing agreement may seem like it is intended to protect the data controller from legal issues if a data processor mishandles their data, it actually does much more than that.

Like any contract, a data processing agreement seeks to ensure that all parties are acting appropriately and holding up their end of the deal.

While this does reduce the culpability of the data controller in the event that the data processor mishandles data, the contract also requires that the data controller does their due diligence to ensure that the processor they are using is credible and capable.

This prevents data controllers from using a data processor who is fast and loose with the rules, as the contract requires the data processor to meet certain requirements and for the data controller to do their part in ensuring that those requirements are met.

Here's an excerpt from Article 28 that deals with the data processor requirements:

GDPR Article 28: Section 1: Data processor requirements

This balance gives each party some level of accountability for the other short of activity that occurs without the other having any knowledge of it.

While a data processing agreement certainly won't prevent all breaches of compliance by data processors, it sets firm rules for how data should be handled and gives the data controller some responsibility in making sure that those rules are followed.

What should be included in a data processing agreement?

Articles 28 through 36 of the GDPR cover the requirements for data processing and data processing agreements. This is quite a large amount of information, but let's break it down into more manageable terms that you can apply to your business.

Your DPA should cover these topics and work to enforce the following standards.

Article 28 lays down the ground rules for processors under the GDPR.

GDPR Article 28: Section 3: data processor

This Article makes it clear that data processors can only process data in the way the data controller has instructed, unless some specific exceptions apply.

Article 29 states that data should only ever be processed by instructions from the data controller. Essentially the data controller is the owner of that data and responsible for it, so no entity should ever process that data unless instructed to do so by the data controller (except in cases where Union or Member State law would require it).

GDPR Article 29: Processing under the authority of the controller or processor

Here's how Basecamp's DPA includes clauses that address this processor/controller relationship:

Basecamp's Data Processing Addendum: Processing of Personal Data clause excerpt

Article 30 dictates that data controllers or their representatives should maintain records of processing activity under their authority. This includes processing done by the data controller's data processor as covered in a data processing agreement.

GDPR Article 30: Section 1: Records of processing activ

Article 30 gives similar requirements for data processors.

GDPR Article 30: Section 2: Records of processing activities

All of these records must be in a written form and made available to a supervisory authority upon request. Organizations of fewer than 250 employees are exempt from these requirements unless they process data regularly, process data that could put data subjects' rights and freedoms at risk, including but not limited to the processing of special categories of data or information regarding criminal histories.

Article 31 states that data controllers and data processors (or their representatives) shall cooperate with supervisory authorities.

GDPR Article 31: Cooperation with the supervisory authority

Article 32 puts forth the security requirements for data controllers and processors in order to protect the rights and security of their data subjects. These security measures are referred to in the GDPR's guidelines for adequate data processing agreements.

GDPR Article 32: Section 1: Security of processing

Here's a clause from the Basecamp DPA that discusses security measures:

Basecamp's Data Processing Addendum: Security clause

Article 33 and Article 34 cover the proper procedures for notifying the supervisory authority as well as the data subjects of security breaches involving personal data. This includes the data controller notifying the proper authority as well as the data processor notifying their data controller as described in the GDPR's guidelines for adequate processing agreements.

Here's the Basecamp clause that discusses this:

Basecamp's Data Processing Addendum: Customer Data Incident Management and Notification clause

Article 35 explains data protection impact assessments including when and how they should be performed. It also mentions how data controllers and data processors should take into account the other's compliance with contractual agreements (such as data processing agreements) when performing data protection impact assessments.

This is part of the "due diligence" referred to in the GDPR's data processing agreement requirements, putting some responsibility on data controllers to ensure that the data processors they are using are credible and compliant with the GDPR.

GDPR Info Article 35: Section 8 - Data Protection Impact Assessment

Article 36 covers situations where a data protection impact assessment shows high risk and lays out the procedure for data controllers, data processors, and supervisory authorities to communicate and gives timelines for when supervisory authorities should provide the data controller and/or processor with consultation on how to improve the situation so that data processing can commence safely.

Here's the related clause from Basecamp:

Basecamp's Data Processing Addendum: Data Protection Impact Assessment clause

These articles make up the majority of guidance from the GDPR regarding data processing agreements and the components of those agreements. This can be quite a lot to understand on the first read, so let's review the key points as they apply to you and your GDPR-compliant data processing agreements.

The GDPR requires that the following be included in your data processing agreement:

  • What information is being processed
  • How long that information will be processed
  • Why this information is being processed
  • The rights and responsibilities of the data controller
  • That the data processor should only act according to written instructions from the data controller
  • That data processing is done confidentially
  • That proper security measures are in place during every step of data handling
  • Subprocessors only be used with the data controller's knowledge and consent
  • Data controllers and processors should work together to resolve subject access requests
  • Data controllers and processors should work together to protect the rights and privacy of data subjects
  • Data processors must inform data controllers of data breaches
  • Data processors should assist data controllers in data protection impact assessments where applicable
  • Data processors should erase or return the personal information from the data controller after the contract is complete
  • Both data controllers and processors should be prepared for audits or inspections and assist one another as needed to demonstrate compliance
  • Data processors and controllers should be on the lookout for any practices that break GDPR compliance and notify the other so that corrections can be made
  • The data processor shall have a Data Protection Officer appointed as required by the GDPR
  • The data processor shall keep records of processing activity

It may seem like an overwhelming list at first glance, but many of the items are similar to or work in conjunction with others. Many of the rest are obvious or necessary safeguards to ensure all-around compliance and open communication between parties sharing and handling personal data, and their supervisory authorities.

There are a few other things data controllers will want to ensure they have included in their data processing agreements.

These are:

  • Documented instructions to prove intent
  • Proof that the data controller did their due diligence to determine the capability and commitment of the data processor to handle the project safely and legally (such as data protection impact assessments)
  • Security requirements for data processors
  • Procedures for cooperation and communication between the data controller and data processor
  • Procedures in place in case of data breaches or investigations
  • Procedures for the returning or erasing of data at the end of the contract

By providing these clauses within the agreement, the data controller limits their culpability by providing the data processor with everything they should need to conduct their duties properly.

By giving instructions, laying out procedures, and enforcing requirements for safe and lawful data processing, the data controller is not only protecting themself, but ensuring that the data processor is acting within the constraints of the GDPR for the protection of their data subjects.

Conclusion

The GDPR requires data processing agreements between data controllers and data processors and also has requirements for what must be included in those agreements.

These agreements are not just a legal burden imposed by the GDPR, but a necessary contract to protect each party as well as the data subjects involved. Depending on how much and to what extent you require data processing, an attorney will likely be needed as these contracts can get quite lengthy what with the the clauses required by the GDPR and those needed by your organization based on their operations.

If you are looking to create or update a data processing agreement, the above information should help you break down the GDPR's requirements into more manageable steps.