GDPR Series: Part 11 - Data Processing Agreements Be sure to keep an eye on your processors!

This series provides more detailed insight into the General Data Protection Regulation, which was published on 4 May 2016 and must be complied with by 25 May 2018.

This issue focuses on data processing agreements.

The controller's obligation to only work with data processors that provide sufficient guarantees

Under the GDPR, controllers may only work with data processors that provide "sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of [the GDPR] and ensure the protection of the rights of the data subjects."

The recitals specify that the guarantees to be provided relate to expert knowledge, reliability and resources.

This obligation is very stringent and requires controllers to make a detailed assessment of each processor's capabilities, including its financial stability.

The controller's obligation to enter into a data processing agreement

Data controllers are obliged to enter into a written contract, or other binding legal act under EU or Member State law, with each data processor.

Content of the data processing agreement

The agreement or other legal act must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data to be processed, the categories of data subjects and the obligations and rights of the controller.

In particular, it must be stipulated that the processor shall:

  • process the personal data only further to documented instructions from the controller, including the transfer of personal data to third countries or international organisations, unless provided otherwise by EU or Member State law to which the processor is subject; in the latter case, the processor shall inform the controller of the statutory requirement prior to the processing, unless the law prohibits such disclosure on substantial public interest grounds;
  • ensure that persons authorised to process the personal data are bound by a contractual or statutory duty of confidentiality;
  • take all appropriate technical and organisational measures;

  • obtain the controller's written consent to engage sub-processors;

  • impose on its sub-processors the data protection obligations set out in the agreement (or legal act) between the controller and the processor;

  • taking into account the nature of the processing, assist the controller by taking appropriate technical and organisational measures, insofar as possible, to ensure fulfilment of the controller's obligation to reply to requests by data subjects exercising their rights;
  • assist the controller in ensuring compliance with its security and certain other obligations, taking into account the nature of the processing and the information available to the processor;
  • at the controller's choosing, delete or return all personal data to the controller upon completion of the processing services and return any existing copies of the data, unless EU or Member State law requires that the personal data be stored;
  • make available to the controller all information necessary to demonstrate compliance with its obligations and allow and cooperate fully with audits, including inspections, conducted by the controller or another person authorised to this end by the controller.

The data processing agreement may be based on standard contractual clauses laid down by the European Commission or national supervisory authorities.

It should be clear from the foregoing that the mandatory provisions to be included in a data processing agreement are more numerous and substantial under the GDPR than under Directive 95/46/EC. The rationale for this is that the controller is ultimately responsible not only for the personal data being processed but also the parties processing data on its behalf.

To do's

  • If you've not yet done so, identify which of your services providers or suppliers qualify or could qualify as data processors.
  • Amend existing data processing agreements or conclude new ones.
  • Draft an addendum to your data processing agreements, setting out minimum security requirements.
  • Put in place measures to audit your data processors. 

Relevant provisions

Recital 81

Article 28