GDPR Data Processing Agreement Template

Complying with the EU General Data Protection Regulation (GDPR) can take a lot of work. You have to make sure that you're processing your users' personal data transparently, storing it securely, and only asking them for the information that you actually need. But that's just part of what's required.

You're also responsible for ensuring that certain companies with whom you share your users' data treat it with the same level of respect as you would.

You must make sure you only pass on your users' data to companies that are GDPR-compliant. And you're legally required to have a contract in place with any data processors - that is, anyone who processes personal data on your behalf.

This is where your Data Processing Agreement comes in. Let's take a look at what you'll need to include in this agreement to make sure it meets the GDPR's requirements.

Data Subjects, Data Controllers, and Data Processors

A Data Processing Agreement is a contract between a data controller and a data processor that covers how to handle the personal data of data subjects. These terms are defined in Article 4 of the GDPR:

• Data subjects are individual persons. They have "personal data" - information that can be used to identify them. This ranges from obvious information such as their names and addresses, to more obscure information like their IP addresses or internet browser data.
• A data controller is any person or organization that "determines the purposes and means of the processing of personal data." It decides why and how data subjects' personal data is processed. "Processing" personal data can mean all manner of things - collecting it, storing it, sharing it.
• A data processor is any person or organization that "processes personal data on behalf of the [data] controller." They don't have a direct relationship with the data subjects.

An individual could be a data subject, a data controller and a data processor - depending on their relationship to a set of personal data. A company that acts primarily as a data processor will also often be a data controller in some respects.

Let's put this into context. Imagine yourself, an individual (data subject), shopping online at an ecommerce store.

The ecommerce store asks you for your credit card details in order to take a payment. The store is the data controller. It's deciding the purpose (to sell you a product) and means (taking your credit card details) of processing your personal data.

You provide your credit card details via a payment service such as PayPal. Here, PayPal is the data processor. It processes the payment on behalf of the data controller - the ecommerce store.

Some other examples of data processors include companies that offer services in the following areas:

• Accounts
• Payroll
• Email marketing
• Databases
• Market research

Who Needs a Data Processing Agreement?

Data controllers must have a Data Processing Agreement in place with any data processors they use. The agreement might be written by the controller or the processor. However, it is binding on both parties.

The GDPR brings new obligations for data processors. As the European Commission puts it, data processors can't "hide behind" their data controllers. But the main obligation to keep personal data safe falls on the data controller.

Recital 74 states that the data controller is liable for any data processing carried out on its behalf. So, it's in a data controller's interest to ensure this processing is done in a safe and legal way.

Under Article 28, a data processor is only permitted to process personal data "on documented instructions from the controller" (unless legally required to do otherwise). A data processor can also hire "subprocessors" to carry out data processing on its behalf, but only with written permission from its data controller. The processor is liable to the data controller for the actions of these subprocessors.

A Data Processing Agreement is a way to meet the requirements placed on both data controllers and processors.

Without a Data Processing Agreement or other written contract in place, it's illegal for a data controller to engage the services of a data processor, or for a data processor to process personal data on a data controller's behalf.

Mandatory Data Processing Agreement Clauses

There are certain clauses required in every Data Processing Agreement. We're going to take a look at some examples of these clauses within actual Data Processing Agreements.

Bear in mind that many of these are written by large data processors whose clients or customers are data controllers. This doesn't matter. While the wording will vary, these clauses are mandatory in any Data Processing Agreement, whether written by a data controller or data processor.

Information about the Data Processing

The Data Processing Agreement must be explicit about what it is that the data processor will actually be doing. For example, the following aspects of the data processing must be specified:

• Subject matter
• Duration
• Nature
• Purpose

Many Data Processing Agreements include of this information as a Schedule or Appendix at the end of the agreement.

Here's an example from Dotmailer:

The duration of the agreement is sometimes referred to as its "term." This is not usually given in months or years. Instead, it stipulates the conditions on which the agreement will terminate. It's normal for a contract to include a clause like this. It's required in a Data Processing Agreement to ensure that data processors cannot process the personal data indefinitely.

Here's the relevant part of a Data Processing Agreement from SEMrush:

Here's part of a Data Processing Agreement from Voluum (Codewise) where it sets out the nature and purposes of the processing it will carry out on behalf of data controllers:

Information about the Personal Data and Data Subjects

The Data Processing Agreement must include details about the categories of personal data and the categories of data subjects. Here's an example from Virtual College:

Here's how Bitrix24 displays the categories of personal data covered by its agreement:

Try to cover as much of the personal data as possible here. Note how Bitrix starts its clause by saying its Customer Personal Data "may" include the types of data listed. This makes it clear that not every type of data on the list will necessarily be processed, but that it may be.

Obligations of the Data Controller

Whilst the focus of the agreement is on the data processor, the obligations of the data controller must also be made clear.

Here's an excerpt from this section of The B2B Marketing Lab's agreement that covers obligations:

"Data exporter" means "data controller" in this particular agreement.

Note that the obligations aren't very specific at all. This clause works more as a general statement that obligates the data controller to follow the agreement and adhere to laws.

Obligations of the Data Processor

Most of the compulsory terms required in a Data Processing Agreement are obligations on the data processor. These are set out across Chapter 4 of the GDPR, with Article 28 being particularly important.

Written Instructions

The processor must process personal data "only on documented instructions from the controller." This is the reason for the Data Processing Agreement itself, but it also needs to be explicitly stated within the agreement.

Here's an example from Questback's agreement:

"Customer" means "data controller" in this agreement because Questback is the processor for other companies, and these other companies are Questback's customers and data controllers in the relationship.

Confidentiality

The processor must make sure "that persons authorised to process the personal data have committed themselves to confidentiality." Note that this is not the same as a non-disclosure agreement. It's primarily in place to protect the interests of data subjects - not the data processor or controller.

Here's an example of such a clause from SuperOffice:

"MSA" here is an abbreviation for Master Subscription Agreement - SuperOffice's main Terms & Conditions.

Security

The processor must explicitly agree to comply with the obligations in Article 32 of the GDPR. This part of the GDPR is about the security of the data processing. It requires both data processors and data controllers to build certain security measures into their data processing activities.

Different Data Processing Agreements approach this with varying levels of detail. For example, here's just one small part of this section from TimeTac's agreement:

And here's how Sendmate's agreement addresses this obligation:

Note that both clauses mention Article 32 of the GDPR.

Subprocessors

The data processor "shall not engage another processor without prior specific or general written authorisation of the controller." Any such subprocessors are bound by the same level of obligations as the main processor under the Data Processing Agreement.

Note that hiring subprocessors is allowed under the general written agreement of the data controller. The Data Processing Agreement is where such written agreement can be set out.

Here's an example from Trustpilot:

There are a few points to note about Trustpilot's subprocessors clause:

• The agreement (written by Trustpilot, as the data processor) gives the data processor blanket permission to hire subprocessors.
• There are a number of checks and balances to ensure that the controller retains control over these sub-contractual agreements.
• The agreement states that subprocessors are bound by the same terms as the main processor.
• The data processor explicitly accepts liability for the actions of the subprocessor. This is a key principle of this part of the GDPR.

Data Rights

The data processor must agree to help the data controller to facilitate data subject rights. There are eight of these, set out across Chapter 3 of the GDPR.

A data controller must facilitate its data subjects' rights but it might need the data processor's help with this. This is because some of these rights involve accessing or deleting personal data which might be in the possession of the data processor, or restricting or stopping processing which might be being performed by the data processor.

Here's an example of this clause from Float:

The Data Processing Agreement also presents an opportunity to specify the time period in which a data processor must comply with such a request.

Data Protection Impact Assessments

The data controller must carry out a Data Protection Impact Assessment before undertaking any new high-risk data processing project. The processor is obliged to help with this if required.

Here's an example from PayByLink's agreement:

Data Breach Notifications

The data controller must report any serious personal data breaches to its Data Protection Authority. The data processor has a part to play here, too. It must "notify the controller without undue delay after becoming aware of a personal data breach."

Here's what Debenhams requires of its data processors in the event of a data breach:

Note that the 72 hour deadline given here might be cutting it a little close. The controller has an obligation to report the breach to its Data Protection Authority within 72 hours. Receiving notification from its data processor towards the end of this period might cause it to miss this deadline.

Return or Deletion of Personal Data

Under Recital 81, "after the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data."

Here's how HubSpot's agreement complies with this:

Audits

The data processor must allow the data controller to conduct audits. These might be conducted by another organization, on the data controller's behalf. The Data Processing Agreement must permit this, but it can also establish the basis on which this may occur.

Here's an example from Capsule, writing as the data processor. It grants the data controller permission to carry out audits - but also sets out the terms of this arrangement.

You can set your own terms here, so long as you do allow audits.

Other Data Processing Agreement Clauses

In addition to the mandatory clauses that the GDPR requires, you can also include other terms.

Remember that the Data Processing Agreement is a contract that will govern the way the data controller and data processor do business.

Definitions

Like with any contract, it's good to set out the definitions of key terms at the start of your Data Processing Agreement. The aim is to keep the number of contractual grey areas to a minimum in the event of a dispute.

Some terms that you'll want to define include:

• Data controller
• Data processor
• Data subject
• Subprocessor
• Personal data
• Processing
• Data protection law

Here's an excerpt from the definitions section of Inline Manual's Data Processing Agreement:

If you have any proprietary terms or words that you use in a way that isn't generally understood, define them so there aren't any miscommunications or issues with the terms.

Mandatory Data Protection Officer

Under Article 37, certain organizations need to appoint a Data Protection Officer. Some Data Processing Agreements place a requirement on the data processor to do this.

It might be a good idea to insert this clause into your Data Protection Agreement if, for example, you're asking a data processor to process large amounts of special category data.

Here's the relevant section from Caci's Data Processing Agreement:

International Data Transfers

The GDPR has some strict rules about transferring personal data outside of the EU. But it is allowed, and will often occur between data controllers and their data processors, or between data processors and their subprocessors.

International data transfers can take place under certain conditions, including where the third country has received an adequacy decision from the European Commission. The United States has not received an adequacy decision - but transfers are allowed where the recipient US company is part of the Privacy Shield Framework.

Here's how Edgecumbe manages international transfers in its Data Processing Agreement. This is addressed to subprocessors, but it could equally be addressed to a data processor.

Record-Keeping

The GDPR requires a data processor to keep records of its activities. Agreeing to this requirement is implicit in some of the clauses we've looked at above. But many Data Processing Agreements also include this as an explicit requirement on the data processor, together with the terms on which such records must be shared.

Here's an example from Sleeknote:

Governing Law

As with any contract, it's wise to establish the jurisdiction in which disputes about the agreement will be settled (the "governing law"). Although the GDPR applies across EU countries (with some minor variations), the laws governing contracts may be very different in the countries where the data controller and data processor are based.

Here's an example from Planday's Data Processing Agreement:

Summary of Your Data Processing Agreement

Wherever data processing is performed by a data processor, it is essential to have a clear Data Processing Agreement in place. Not only is it a legal requirement, but it will also allow you to set the terms on which you do business, and reduce the opportunity for legal disputes.

Your Data Processing Agreement must include:

• Details of the subject matter, duration, nature, and purpose of the processing
• Details of the categories of personal data and data subjects
• Obligations of the data controller
• Obligations of the data processor, including:
• Only to act under the written instructions of the data controller
• To keep personal data confidential
• To comply with the GDPR's security requirements
• To assist the data controller in facilitating data subject rights
• To assist the data controller in conducting a Data Protection Impact Assessment if required
• To inform the data controller on becoming aware of a personal data breach
• To return to the data controller or delete any personal data on termination of the agreement
• To permit the data controller to conduct audits
• Any other applicable or optional clauses including:
• Definitions of key terms
• A requirement on the data processor to nominate a Data Protection Officer
• The conditions around international data transfers
• An explicit requirement on the data processor to keep data processing records
• The governing law under which disputes will be resolved