Expert Advice Community


Data processing agreement between a data controller & a data processor

Joy Created:   Nov 24, 2020 Last commented:   Nov 26, 2020

Data processing agreement between a data controller & a data processor

Some information please on what information must be included in a data processing agreement between a data controller and a data processor

0 0

Assign topic to the user


Step-by-step implementation for smaller companies.


Step-by-step implementation for smaller companies.

Alessandra Nisticò Nov 26, 2020

You need to include all the provisions listed in Article 28 GDPR.

From the controller’s side the agreement should define:

  • the subject-matter and duration of the processing,
  • the nature and purpose of the processing,
  • the type of personal data and categories of data subjects and the obligations and rights of the controller.

From the processor’s side, the agreement shall ensure that the processor:

  • processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country
  • ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • takes all measures required pursuant to Article 32;
  • will not engage a subprocessor without previous written authorization
  • taking into account the nature of the processing, assists the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller’s obligation to respond to requests for exercising the data subject’s rights
  • assists the controller in ensuring compliance with the obligations of security;
  • at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires the storage of the personal data;
  • makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
  • immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.

Here's you'll find a ready-made template that you can adapt for your needs: GDPR Supplier Data Processing Agreement  

Here you can find more information:

This free online training will help you understand the relationship between data controllers and processors: EU GDPR Foundations Course: 

0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 24, 2020

Nov 26, 2020

Suggested Topics