Data processing agreements: tips & tricks.
What you need to know.
Article 28 GDPR requires a controller and a processor (see GDPR Toolkit 09) to enter into a data processing agreement. Companies can only rely on processors who offer sufficient guarantees to implement appropriate technical and organisational measures so as to ensure that the processing complies with the GDPR. These measures must be contained in an agreement.
The GDPR does not define the specific form in which the agreement must be concluded, it simply has to be a legally binding document (under national law). Processors selling products to thousands of customers will often work with unilaterally imposed conditions that they make available through their website.
It is important to keep in mind that there may also exist a controller / processor relationship between the different entities within a group of companies. In that context as well, the necessary agreements must be concluded in accordance with Article 28 GDPR.
What you need to do.
When drafting and/or reviewing a (unilaterally imposed) data processing agreement, it is important that the agreement contain all of the obligatory provisions prescribed by Article 28 GDPR.
To ensure that the data processing agreement is also a workable document in practice, we usually make the following recommendations:
- The detailed description of the processing activities (e.g. duration, nature, purpose, categories of data subjects and personal data, etc.) should preferably be included in an annex so that it can be easily amended.
- In order to avoid the need for the controller to give its prior consent for each replacement of a subprocessor, a general consent may be given subject to certain conditions, for example that they must be subprocessors with a similar profile located within the EEA.
- Standard clauses stipulating that parties will comply with all applicable laws, guidelines, codes of conduct, etc. in the relevant jurisdictions are often difficult to implement in practice - and that is certainly the case for processors. We therefore recommend requiring the controller to inform the processor of any mandatory national legislation that will apply to the processor as a result of the processing.
- In the case of a group of companies, it is useful to include a stipulation in favour of a third party, so as to spare each entity of the group from having to conclude a separate data processing agreement with third parties.
- Finally, for intra-group processing activities, it is useful to broaden the scope of the contract to cover each (form of) intra-group transfer of personal data. Such an agreement would then contain in its annex a data processing agreement, a task division for joint processing activities, and the standard contractual clauses for transfers outside the EEA. The parent company is often authorised to include new entities and to enter into processing agreements with third parties.
Please consult our website or contact one of our team members if you have questions or require more information:
In the Picture - July 2020
Covid-19’s impact on commercial contracts: Force majeure, not just a standard clause