Data processing agreements

Data processing agreements are legal contracts that govern how a processor may handle personal data on behalf of a controller.

Explained – what is a data processing agreement?

A data processing agreement is a written contract between a controller and a processor under Article 28 of the GDPR. The purpose is to ensure the processor only processes personal data in line with the controller’s instructions and in compliance with data protection law. A GDPR lawyer can help verify that the agreement meets all legal requirements. Data processing agreements are common where external providers handle personal data, for example IT services, cloud storage or HR systems.

When does a GDPR data processing agreement become relevant?

The need for a GDPR data processing agreement arises when an organisation engages a third party to process personal data on its behalf. This includes cloud services, system vendors, consultancies, or outsourcing of HR and payroll processing outsourcing. The agreement clarifies the allocation of responsibilities between the parties and ensures compliance with the GDPR.

Business professionals with a secure contract between two office buildings, representing GDPR data processing agreements and cross-border data transfers.

Points to consider in a data processing agreement

Several issues must be addressed in a data processing agreement to ensure processing is lawful and appropriately controlled.

  • The agreement must be in writing and comply with Article 28 GDPR.
  • Processing instructions must be clear and documented.
  • There must be rules on sub-processors, including a requirement for the controller’s prior authorisation.
  • Security measures—both technical and organisational measures—must be described in the agreement.
  • There should be clear obligations on the processor to assist with handling the rights of the data subject.
  • Procedures for personal data breaches and cooperation in such cases must be set out.
  • The agreement must specify deletion or return of personal data when the engagement ends.

A well-structured contract enables both parties to act correctly and in accordance with data protection law, reflecting GDPR article 28 requirements and practical expectations when negotiating data processing agreements.

Data processing agreements

Why is a GDPR data processing agreement important?

Data processing agreements create the legal framework governing how a supplier may process personal data for another organisation. Without a properly drafted contract, the organisation risks breaching the GDPR, which may lead to administrative fines from the Data Protection Agency.

These agreements also promote transparency. By defining roles, responsibilities, and technical and organisational measures—including technical security measures and organisational security measures—they provide certainty for cooperation between the controller and the processor. This is particularly critical where substantial volumes of sensitive data are handled in cloud services or outsourced systems.

Over time, clear data processing agreements build trust between supplier and customer. Organisations that take a structured approach to such contracts are perceived as more serious and reliable, which strengthens both the brand and relationships with partners.

Frequently asked questions about data processing agreements

The purpose is to ensure a processor only processes personal data in line with the controller’s instructions and in accordance with the GDPR, reflecting GDPR article 28 requirements and practical data processor obligations under GDPR.

An agreement is required whenever an organisation engages an external party to process personal data, for example when using cloud services, consultancy support or system vendors, including payroll processing outsourcing.

The contract must be written and meet the requirements in Article 28 GDPR. Key elements include:

  • Clear instructions for the processing
  • Rules on sub-processors
  • A description of technical and organisational measures
  • Procedures for incident reporting

If no agreement is in place, the organisation breaches the GDPR. This may result in administrative fines and loss of trust among customers and employees.

The controller has overall responsibility to put the agreement in place and ensure compliance. The processor has its own duties under the contract and the GDPR. Responsibilities are therefore shared and both parties must act correctly in line with data controller obligations under GDPR and data processor obligations under GDPR:

  • The controller must give clear instructions
  • The processor must follow those instructions and implement technical security measures
  • Both parties must cooperate in the event of incidents or queries from data subjects regarding the rights of the data subject

Several clauses are critical for GDPR compliance. These include rules on sub-processors, requirements for technical and organisational measures, and obligations to support the controller in the event of incidents or when data subjects exercise their rights. A properly drafted contract will also set out conditions for deletion or return of data when the engagement ends. This provides both parties with a clear, predictable framework when negotiating data processing agreements.

Read more about our services

GDPR Lawyer

Engage Morling Consulting’s privacy counsel when personal data issues need to be addressed in a business-focused manner with clear control of risk. We provide support with governance, contracts, transparency and processor arrangements, ensuring the organisation remains consistent towards data subjects and the Data Protection Authority (IMY).

DPIA

We prepare Data Protection Impact Assessments (DPIAs) for processing activities that may pose a high risk and require a documented basis for decision-making. We carry out the assessment, identify risks, and put in place mitigations and documentation so the DPIA is auditable, traceable, and ready for review.

Breach management

Morling Consulting supports incident management when a personal data breach must be handled swiftly and correctly. We lead the assessment, remediation plan and documentation, including materials for notification and communications, so the organisation acts in a coordinated way and reduces consequential harm.

Contact

Felix Morling

Contact us

If you prefer phone, please feel free to contact Felix Morling at +46 70 444 42 85

"*" indicates required fields