page-banner

Practice Areas

Data processing agreement

Do you need help with a data processing agreement? EM Law are experts in drafting and advising on data processing agreements. Our lead data protection lawyer is Neil Williamson who has extensive experience in advising clients on a wide range of data protection matters.

On 25 May 2018 the General Data Protection Regulation (GDPR) came into force. The GDPR ushered in a number of changes to data protection, including new requirements for organisations to deal with.

What is a data processing agreement?

In the majority of business relationships, personal data will flow from one party to another. Where a data processor carries out processing on behalf of a data controller, the data controller will not comply with the GDPR unless there is a written contract between the two parties setting out the terms, requirements and conditions on which the processing will take place. To give an example, when a company outsources payroll services, they will send personal data to that organisation. In order to be GDPR compliant, the company outsourcing the work must ensure that the organisation providing the services signs up to such an agreement. Data processing agreements between controllers and processors ensure that they both understand their obligations, responsibilities and liabilities.

Why do I need a data processing agreement?

Article 28(3) of the GDPR specifically states that there must be a contract or other legal act in place between a data controller and a data processor. If there is no contract or other legal act in place, the data controller is in breach of the GDPR and may be open to potential enforcement action by supervisory authorities such as the ICO. Such enforcement actions include compliance orders and financial penalties. Financial penalties can reach up to EUR 20,000,000 or 4% of global turnover, whichever is higher.

As a data controller, a data processing agreement also protects you should your data processor break compliance, mishandle your data or fall victim to a data breach. Without such an agreement, responsibility and blame will fall on you for failing to do your due diligence and utilizing a third-party without adequate policies and procedures in place.

How do I create a data processing agreement?

Data processing agreements are just as important for small businesses as they are for large ones. Data processing agreements must also contain specific minimum terms. The agreement must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects as well as the obligations and rights of both parties.

In addition, such agreements must contain specific terms or clauses regarding:
• processing only on the data controller’s instructions;
• the duty of confidence;
• appropriate security measures
• using sub-processors
• data subjects’ rights
• assisting the controller
• end of contract provisions; and
• audits and inspections.

If the data processor uses another organisation i.e. a sub-processor to help it process personal data for the data controller, it must also have a written contract in place with that sub-processor.

If you are looking for assistance with drafting your data processing agreements or want advice on GDPR more generally contact Neil Williamson.

EM Law Neil Williamson

Make An Enquiry

Reviews

Make An Enquiry Now

Please call us now on 0203 637 6374 or Make An Online Enquiry and we will soon be in touch with you

Close

Make An Enquiry

Can We Help You?

We are here to help with any of your questions.
Just click "Yes" below.

Yes
No
+

Please enter your question below

Send Your Question

Please enter your name and email address so than we can send you a response

Thank You!

Technical issue

Thank you for sending us your question. We will contact you shortly to discuss this.

Sorry, there is a technical issue. Please contact us by telephone: 0203 637 6374

Close