GDPR Data processing agreement

The GDPR Data Processing Agreement is a specific type of data processing agreement that is designed to comply with the requirements of the General Data Protection Regulation (GDPR).

The GDPR Data Processing Agreement is intended to help organizations to:

• Comply with the GDPR
• Manage the risks associated with data processing
• Meet their contractual obligations with regard to the processing of data

What should the GDPR Data Processing Agreement include?

The GDPR Data Processing Agreement must be entered into by both the controller and the processor, and must include the following information:

• The types of data that will be processed
• The specific purposes for which the data will be processed
• Any other purpose or activity that the data might be used for should any ground for lawful processing arise
• Who will have access to the data and who will process it (the document should indicate if the processor has its own sub-processors)
• How long the agreement is going to last, including a description of how termination can occur
• Where and with whom the records related to this Agreement will be stored
• What confidentiality measures are in place
• What technical and organisational security measures are in place.

The GDPR Data Processing Agreement must also include information on:

• Lawfulness of processing. This includes specifying what lawful bases apply to the processing of data, including consent
• Data subject rights, specifying how these will be upheld throughout the processing cycle
• The retention period for the data (how long will it be kept)
• Transfers of data outside of the EU/EEA. This relates to country level adequacy decisions by the European Commission which are discussed in more detail here . If there are no such adequacy decisions or if they do not cover some transfers, then additional safeguards must also be put in place. These safeguards may include signing contracts with third parties that have equivalent GDPR-level protections as required under Article 46(3)(h). A list of which countries have been deemed adequate can be found here.
• Obligations on sub-contracting. The GDPR has very specific requirements on the use of sub-processors which must be met
• Dispute resolution
• A list of any third parties that will have access to the data
• A description of the technical and organisational security measures that will be in place once the Agreement is signed

Transfers and saving data outside the EU

Under the GDPR, companies are allowed to store data outside of the EU as long as it is subject to an adequate level of protection. This means that the company must ensure that the data is protected by measures such as encryption and access controls.

There are a few steps that companies can take to ensure that their data is stored in a safe and secure manner. First, they should consider the location of the data center and make sure that it is in a country with strong data protection laws. They should also use encryption to protect the data while it is in transit and at rest. Lastly, they should put in place strong access controls to ensure that only authorized personnel can view the data.

By following these steps, companies can store their data in a way that complies with the GDPR and protects it from hackers.

What is the difference between a processor and a controller under the GDPR Data Processing Agreement?

A processor is a party that is engaged by a controller to process personal data on behalf of the controller. The processor must comply with the GDPR when processing personal data. A controller is a party that determines the purposes and means of the processing of personal data.

The GDPR applies to both controllers and processors.

What is an example of a data processor under GDPR?

First of all, a person or entity can be both data processor or controller. This all depends on the specific role the person or entity takes in.

An example of a processor in GDPR would be an email marketing service provider, a cloud provider or a hosting party that stores personal data. In short, a service that acts on behalf of you and has access (processes) data of your customers or employees.

A processor is only limited by its contract with the controller, but it can’t make independent decisions about how to process data.

And an example of a data controller under GDPR?

A typical data controller is an online payments provider. That provider (for example PayPal or Stripe) captures your customer’s information so that these customers can pay you. However, you have no influence or say over the data that is being collected, stored and used by the payment provided. That is why a payment provider in this case is a data controller.

Another example is an accountant when acting for his or her client. Professional service providers such as accountants, in that role, are data controllers. This is because accountants and similar providers of professional services have professional guidelines that make that they have to take responsible care of the personal data of their clients they process.