Data processing agreement
Assign topic to the user
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
2. Just thinking a little more about this as I see on your notes that this is not a standalone document and is meant to be an annex to the contract the Controller has with a supplier / processor. We don’t have formal contracts / commercial agreements in place with all of our corporate clients and so I’m wondering where this leaves us?
3. It would also be good to know which of the documents in the toolkit should be issued to our suppliers ie from Processor to Sub-Processor. I’m assuming that we simply need to incorporate the relevant security clauses to handle outsourcing risks as described in A.15.3 and the blog in your notes within our existing contracts? Am I right in thinking that precise/suggested wording for these clauses does not form part of the toolkit and if so do you have any advice where we might find example wording?
Ans wers:
1. Based on the provisions of EU GDPR art. 28 – “Processor” (https://advisera.com/eugdpracademy/gdpr/processor/) is the controller that should be the one ensuring it uses processors providing sufficient guarantees to implement appropriate technical and organizational measures to meet the requirements of the Regulation.
You can of course be proactive and for the controllers that did not provide you a Data Processing Agreement or similar document you can send then the Agreement in the Toolkit (A.15.2) and this would hopefully trigger a reaction from the controller.
2. Regardless if you don`t have a written contract the services you provide to your customers need to be somehow regulated otherwise legally speaking you would be providing a service outside a contractual frame and this would mean that the parties have no obligations towards another. You may have some Terms & Conditions for providing the services and then Data Processing Agreement should refer to it.
Any processing activity needs to have a reason behind it so it needs to be regulated especially if is a payed service.
3. For a Processor to Sub-processor Data Processing agreement you can use the attached document as a reference.
To learn more about procesors check out our free “EU GDPR Foundations Course” https://advisera.com/eugdpracademy/what-is-eugdpr/
Comment as guest or Sign in
May 04, 2018