What does GDPR require in data processing agreements?

GDPR regulates the processing of personal data by imposing obligations on two types of organizations — data controllers and data processors. Data controllers set the agenda for processing, while data processors act on the instructions of data controllers. 

As well as regulating the activities of each of them (as detailed throughout this series), the Regulation also sets requirements for the relationship between them (in Article 28), including what the processing contract must contain. This article will look at these requirements in detail.

Suitable data processors

Data controllers must only use data processors who can give “sufficient guarantees” that they can and will comply with the requirements of the Regulation and protect the rights of data subjects. 

This means being able to show that they have the knowledge, resources and reliability to do so (rather than just being about contractual guarantees). If and when appropriate certification schemes are created, relying on these is likely to be justified.

Processing under authority

Data processors must only ever process data under the data controller’s documented instructions, unless required to do otherwise by EU or national law (Article 29). As well as being a violation in itself, straying outside of these instructions may cause them to be redefined as data controllers and therefore subject to additional rules.

Data processing agreements 

All processing must be under a contract between controller and processor (or some “other legal act” recognized by EU or national law which binds the processor to the controller’s will). There are a number of things which must be contained in this contract:

  • The subject matter, duration, nature and purpose of the processing.
  • The types of personal data and categories of data subject involved.
  • A requirement that the processor act only under the controller’s documented instructions (unless required by EU or national law).
  • A requirement that all people permitted to process the data have committed themselves to confidentiality or are otherwise under an appropriate legal obligation of confidentiality.
  • A requirement that the processor take “appropriate technical and organizational measures” to keep the data secure.
  • The requirements set out in the next section regarding the processor passing the work on to another processor.
  • Requirements that the processor (as far as is reasonable) assists the controller to maintain data security, conduct impact assessments, notify supervisory authorities and data subjects of data breaches, and fulfil requests from data subjects exercising their rights over their data.
  • A requirement (depending on the controller’s preference) that at the end of the contract the processor either deletes the data or returns it to the controller and deletes all copies (unless required by law to keep them).
  • A requirement that the processor assist with audits and inspections and provide the controller with the information necessary to show that the processor has complied with its obligations under the Regulation.

Passing to another data processor

A data processor must not pass the work on to another data processor without either (i) getting specific authority from the data controller or (ii) getting general authority from the data controller, informing them of the proposed change and giving them a chance to object. This must be spelled out in their contract with the controller. 

Wherever another data processor is engaged in this way, the contract (or other legal act) must impose the same data protection obligations as the first processor’s obligations under its contract with the controller. Again, this must also be required by the original processing agreement.

The original processor must remain liable to the data controller for the performance of the obligations passed on to the new processor. This will be an extra incentive for them to check the fitness of any such new processor.

A major purpose of all of these rules is to prevent data controllers and processors from attempting to avoid responsibility by passing it on to each other. They clearly set out that data processors must work strictly within their instructions and remain liable even if they lawfully pass the work on to another organization. Meanwhile, data controllers must make sure that they only use fit and proper organizations as data processors and use their contracts to bind the processors contractually (as well as under the Regulation itself).

The next article will look at a few remaining obligations under GDPR which have not fit within any of the areas already covered. Then we will sum up with a checklist of what your organization needs to do to prepare for GDPR.

Get all 10 articles in our series about GDPR in our E-Book for free by clicking the link below:

Download the GDPR Guide