A data processing agreement is a formal contract that documents what data is being shared between parties and how that data can be used or processed. It prevents miscommunication between the provider of the data and the party receiving the data by making certain that both parties understand their responsibilities.

Whenever a controller engages the services of a processor (a third party who processes personal data on behalf of the controller) there should be a written contract in place. If a processor engages the services of another processor, again, it needs to have a written contract in place. Failure to have in place such an agreement is a breach of the law under the GDPR.

The data processing agreement should set out the subject matter and duration of the processing, the nature and purpose of the processing, the types of personal data and the categories of data subject, and the obligations and rights of the controller.

The agreements must also include the following terms:

  • The processor must process the personal data only on the written instructions of the controller, including with regard to transfers of personal data to a third country or an international organisation unless required by law to act without such written instructions;

  • The processor must have the consent of the controller before engaging a sub-processor;

  • The processor must ensure that the persons i.e. employees authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

  • The processor must implement appropriate technical and organisational measures to ensure an appropriate level of security;

  • The processor should assist the controller with appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights;

  • At the choice of the controller, the processor must delete or return all the personal data to the controller at the end of the contract for services relating to processing; and

  • The processor should make available to the controller all information necessary to demonstrate compliance with the obligations under the GDPR and allow for and contribute to audits.

The GDPR makes written contracts between controllers and processors a requirement. The contracts help parties to comply with the GDPR, making clear for controllers and processors, their obligations, responsibilities and liabilities.

For legal advice and guidance on complying with the GDPR and assistance with drafting data processing agreements, get in touch with Farleys’ GDPR solicitors on 0845 287 0939.

Download Your FREE GDPR Checklist

We have created this handy GDPR checklist to check where your business is now in terms of compliance.