Skip to content
English - United Kingdom
Contact us
  • There are no suggestions because the search field is empty.

Requirements for data processing agreements

Publishing date January 6th 2025
 

These instructions describe the requirements for a data processing agreement. It’s described what a data processing agreement must contain, and how and when to conduct an audit.

What does a data processing agreement need to contain?

A data processing agreement is a binding written agreement that establishes the subject matter and duration of the processing performed by the data processor on behalf of the data controller.

The data processing agreement must always describe:

  • The purpose and character of the data processing
  • The type of personal data
  • The categories of data subjects
  • The data controller's obligations and rights

Furthermore, a data processing agreement also needs to establish:

  • That the data processor may only process personal data in accordance with the documented instructions from the data controller. This means that the agreement must clearly determine that the data processor cannot perform any processing that exceeds the instructions provided by the data controller.

  • That the data processor must process the personal data confidentially. The data processing agreement may, for example, impose access restrictions and require employees of the data processor to process the personal data confidentially.

  • That the data processor must take the necessary technical and organisational security measures. The data processing agreement has to clearly indicate that the data controller and the data processor have determined what security measures the data processor must have in place. The purpose of this is to continuously ensure an appropriate level of security in regard to data processing.

  • The terms for the data processor’s use of subprocessors. It must be stated in the data processing agreement that the data processor may not use a subprocessor without prior specific or general written approval from the data controller. If the data controller chooses to give general approval to the use of subprocessors, the data processor must notify the data controller of any planned changes regarding the use of subprocessors and thereby allow the data controller to object to the changes. The data processor must be subject to the same data protection obligations as the data controller.

  • That the data processor must assist the data controller in fulfilling obligations regarding requests to exercise the data subject’s rights, e.g. data subject access requests and deletion requests.

  • That the data processor must assist the data controller in complying with the obligations of article 32-36. This means, among other things, that the data processor must notify the data controller of data breaches without undue delay. As the data controller has a deadline of 72 hours to report data breaches to the supervisory authority it may be a good idea for the data controller and the data processor to agree on a shorter deadline for when the data processor must notify the data controller of data breaches.

  • That the data processor must delete/return the personal data upon termination of the contract unless there is a legal obligation to continue storing the information.

  • That the data processor must be able to demonstrate compliance with the data processing agreement as well as the data protection regulations. It must be stated in the data processing agreement that the data controller has the option to conduct audits and possibly inspections by the data processor.

This list is not exhaustive as the data controller must always consider whether other relevant matters should be regulated in the data processing agreement between the parties.

 

Data processing agreements must be monitored

The data controller must ensure that the data processing agreements are complied with.

An inspection can be both physical and written. The data controller should include the risk assessment that is made of the data processor’s processing when determining which form of supervision is most appropriate. The risk assessment is also a decisive factor in determining how often the data controller must carry out inspections. If the risk is high, it may be necessary to carry out inspections annually or semi-annually.

The use of data processors is regulated in article 28 of the GDPR.

Please note: This information is not legal advice. The information is an expression of what we consider as 'best practice'