GDPR Learning Hub

Menu
  • Take quizzes
  • Download guides
  • Buy courses
  • Buy Templates
  • Website is under construction

Written agreements

Conclude a Personal Data Processing Agreement

It is important to conclude a personal Data Processing Agreement (DPA) when a controller engages a data processor. A Data Processing Agreement must be in writing in accordance with the rules of the GDPR. 

Who can be a data processor?

  • Natural persons, such as a sole trader; 
  • Legal persons, such as a limited company or partnership;
  • Public authorities; 
  • Institutions;
  • Other bodies.  

When should companies enter into a Data Processing Agreement?

There are two different situations in which companies must enter into a Data Processing Agreement: 

What breaches of the GDPR can lead to an administrative fine?

1. Hiring a processor

Where a controller engages a processor. For example, if a company hires an accounting firm to manage the day-to-day accounting on behalf of the company.

2. Hiring a sub-processor

When a processor in turn hires another personal data processor. Often referred to as a “personal data sub-processor” or abbreviated “sub-processor”. For example, if a customer company, as a data controller, engages a development company that is a data processor to develop and operate a mobile application on behalf of the customer company. The development company, in turn, hires a consulting company if they need an external consultant with cutting-edge expertise for the fulfillment of the assignment. The consulting company then becomes a sub-processor to the development company.

Please note that Data Processing Agreements must be in writing in order to be valid under Article 28(3) of the GDPR. 

Common examples of when companies usually hire a data processor

Accounting firm

When a company hires an accounting firm to handle, for example, the company's salary management, ongoing accounting and accounting.

Cloud services

If a company uses cloud services to store personal data.

Developer

If a company wants to build a mobile application and hires a development company that processes personal data within the scope of the assignment on behalf of the company.

What a Data Processing Agreement should ensure

A Data Processing Agreement shall ensure that both the controller and the processor: 

  • Comply with GDPR. 
  • Are aware of their obligations under the GDPR, both towards each other but also the data subjects. 
  • Protect the personal data being processed. This applies to personal data of, for example, customers, staff and other categories of data subjects. 
  • Documents their cooperation and GDPR work, in order to demonstrate that the parties comply with the GDPR in accordance with the fundamental data protection principle of accountability. 

In addition, the Data Processing Agreement must contain at least the minimum requirements set out in Article 28 of the GDPR. Otherwise, the agreement risks being considered invalid, or deficient and thus in breach of the rules of the GDPR.

Examples of necessary content in a Data Processing Agreement

Purpose

It should be clear what the purpose of the processing is.

What is the definition of anonymised data?

Deadline

How long the processing is to take place, when it is to end, etc. It is also possible to regulate time limits that are more specific than those laid down in the GDPR. The GDPR sometimes states that something should happen “without undue delay”. In such cases, the contracting parties may choose to agree that the measure in question shall instead take place within “24 hours”.

Sensitive personal data according to GDPR

Categories

The types of personal data concerned, such as ordinary personal data, sensitive personal data or other privacy-sensitive personal data. It shall also indicate the category of data subjects to whom the processing relates. For example, if it is an additional group worthy of protection, such as children or the sick, users, customers, employees, etc.

Subjektivt integritetskänsliga personuppgifter

Rights and obligations

The rights and obligations of the controller and the processor respectively. It is important to also regulate commercial terms that are not affected by GDPR. For example, if the processor is entitled to compensation for its provision of assistance under the Data Processing Agreement.

Measures that companies need to take to comply with GDPR

Sub-processor

What conditions apply if the processor engages a personal data sub-processor. The conditions vary, depending on whether the controller has chosen to give a specific or general written prior authorisation regarding the processor's use of another processor.

What is the definition of anonymised data?

Confidentiality

Pursuant to Article 28(3)(b) of the GDPR, the Data Processing Agreement must include a provision whereby the processor ensures that persons authorised to process the personal data have undertaken to observe confidentiality or are subject to an appropriate statutory duty of confidentiality. This applies not only to its own staff, but also to consultants and others who may access the personal data through the processor.

Audits

The processor shall provide the controller with access to all information necessary to demonstrate compliance with the obligations laid down in the GDPR. In addition, the Processor shall enable and contribute to audits carried out by the controller or by another auditor designated by the controller. This needs to be explicitly regulated in the contract.

Sensitive personal data according to GDPR

Termination of the contract

What will happen to the personal data when the agreement ends. The controller has the right to decide whether the processor should return or delete the personal data, as well as within what time and how it should be done.

The EU Commission has published “Guidelines 07/2020 on the concepts of controller and processor in the GDPR”, which contain more recommendations and guidelines on the content of a Data Processing Agreement.

The controller shall give written instructions to the processor

According to Article 28(3)(a) of the GDPR, processors may process personal data only in accordance with the instructions given by the controller, unless the processing is necessary under EU law or the national law of one of the Member States. If a processor processes the personal data in violation of the written instructions, the processor may be given the same responsibility as if it were a controller.

The instructions may be set out in the Data Processing Agreement, but it is not a must. Instead, it is possible to draw up separate instructions in annexes that supplement the agreement. It is often easier to adjust and update the instructions if they are formulated in an annex to the Data Processing Agreement. Therefore, it is our recommendation to draw up the instructions in an instruction appendix, instead of embedded in the Data Processing Agreement as such. 

Learn more

Inform data subjects through a privacy notice

Data subjects shall always be informed of the processing of their personal data. This is usually done via a privacy notice. Companies usually have their privacy notice published on their website. It must state, among other things, what the purpose of the processing is, how long the processing will last, what rights the data subjects have, whether the company has a possible data protection officer, etc. 

Want to learn more?

Read more
Scroll to Top