GDPR agreement

Read more about what a GDPR agreement entails, when it is needed and how it supports correct GDPR compliance.

Explained – what is a GDPR agreement?

A GDPR agreement, also referred to as a data processing agreement, a joint controller agreement or a data sharing agreement, sets out the allocation of responsibilities and obligations between the parties involved in the processing of personal data. The purpose is to ensure that processing is carried out in accordance with Regulation (EU) 2016/679 (GDPR). A thorough mapping of personal data flows often underpins the drafting of a correct GDPR agreement.

Such agreements are used across many areas, including cloud services, HR systems and IT operations. They form a central part of an organisation’s work on GDPR adaptation and GDPR audits. A well-drafted agreement is also essential for clear allocation of responsibilities and traceability in personal data processing, including intra group data sharing agreement scenarios.

When does the question of a GDPR agreement arise?

The question becomes relevant when an organisation engages an external company or supplier to process personal data on its behalf. This includes, for example, IT suppliers, cloud services and marketing platforms. Collaboration between group companies may also require an internal GDPR agreement (for example an intra group data sharing agreement) to meet the requirements of the GDPR.

Beyond the legal requirements, a GDPR agreement can clarify the parties’ roles, responsibilities and security measures to be met, thereby strengthening overall GDPR compliance. Well-structured gdpr agreements also facilitate vendor oversight and demonstrate accountability.

Illustration of a professional working on a GDPR agreement on a laptop with a secure document and lock icon on screen, representing data processing agreements, lawful data processing, and GDPR Article 28 compliance.

Points to consider regarding GDPR agreements

When drafting a GDPR agreement, several practical steps should be handled carefully. Below are key points organisations should consider.

  • Ensure the parties’ roles are clearly defined as controller or processor.
  • Describe the purpose of processing and the categories of personal data covered.
  • Include requirements for technical and organisational security measures in line with GDPR Article 28 and Article 32.
  • Impose reporting obligations for personal data breaches.
  • Regulate sub-processors – when they may be engaged and on what conditions.
  • Set procedures for deletion and return of data on termination of the agreement.
  • Document and update the agreement when processing activities change.

By structuring the agreement carefully and updating it when needed, organisations can avoid ambiguity and demonstrate active and traceable GDPR compliance.

GDPR agreement

Why is a GDPR agreement important?

A GDPR agreement is crucial to set out clear lines of responsibility between actors processing personal data. Under GDPR Article 28, a data processing agreement must be in place, and where there is joint controllership a joint controller agreement is required, to ensure that personal data is handled in accordance with applicable law.

Without a valid GDPR agreement, an organisation risks legal sanctions and reputational damage. The agreement therefore serves as a quality mark for the organisation’s data protection programme and shows that privacy is taken seriously.

Beyond regulatory compliance, a properly structured GDPR agreement strengthens relationships between the parties. It facilitates scrutiny during a future GDPR audit and contributes to secure handling of personal data. Together with robust internal GDPR training and use of a GDPR checklist, the agreement becomes a foundational component of a sustainable data protection framework.

Frequently asked questions about gdpr agreements

A GDPR agreement ensures that personal data is processed in accordance with the GDPR and clarifies the allocation of responsibilities between the parties involved.

A GDPR agreement is required when a supplier processes personal data on behalf of another party, or where there is joint controllership. This applies, for example, to IT services, cloud storage, payroll systems and other processing-intensive operations.

To meet the requirements for a data processing agreement under GDPR Article 28, it should include certain fundamentals, for example:

  • Description of the processing and its purposes
  • Security requirements
  • Reporting of personal data breaches
  • Procedures for deletion and return
  • Right to conduct audits
  • Regulation of sub-processors and third-country transfers

Legal review is recommended to ensure full GDPR compliance.

The terms are sometimes used synonymously. GDPR agreement is a broader expression, whereas a data processing agreement is the agreement that must be put in place under Article 28 GDPR.

A practical method is to conduct an internal GDPR audit and verify that the agreements still reflect the actual processing.

  • Review the agreement’s content and relevance
  • Assess sub-processors and security levels
  • Update when personal data flows change

Regular follow-up builds assurance and documented compliance.

GDPR agreements form part of the organisation’s overall GDPR programme, where GDPR training and GDPR adaptation are also important. With the right knowledge, teams can identify risks, set requirements for suppliers and understand how the agreements protect both the organisation and data subjects — supporting long-term and sustainable data protection.

Read more about our services

GDPR Lawyer

Engage Morling Consulting’s privacy counsel when personal data issues need to be addressed in a business-focused manner with clear control of risk. We provide support with governance, contracts, transparency and processor arrangements, ensuring the organisation remains consistent towards data subjects and the Data Protection Authority (IMY).

DPIA

We prepare Data Protection Impact Assessments (DPIAs) for processing activities that may pose a high risk and require a documented basis for decision-making. We carry out the assessment, identify risks, and put in place mitigations and documentation so the DPIA is auditable, traceable, and ready for review.

Breach management

Morling Consulting supports incident management when a personal data breach must be handled swiftly and correctly. We lead the assessment, remediation plan and documentation, including materials for notification and communications, so the organisation acts in a coordinated way and reduces consequential harm.

Contact

Felix Morling

Contact us

If you prefer phone, please feel free to contact Felix Morling at +46 70 444 42 85

"*" indicates required fields