Processing agreements: Copy-pasting from GDPR Art. 28 does not suffice

Last September, the European Data Protection Board (“EDPB“) issued its Guidelines 07/2020 on the concepts of controller and processor in the GDPR. The guidelines were subject to public consultation until 19 October.

As it can be inferred from the title, the document gives criteria for the correct interpretation of some key concepts used in the GDPR. However, that is not all. The guidelines also deal with data processing agreements and censor a practice which has been common in the drafting of these contracts: merely restating the processor’s obligations listed in Art. 28(3) of the GDPR.

The guidelines establish that, while the elements laid down by Article 28 of the Regulation constitute the core content of any data processing agreement, the contract should clarify, in considerable detail, how such core elements have to be implemented.

To do that, the EDPB gives some hints and recommendations that we are summarizing in the table below. The column in the left contains the processor’s obligation, as established in Art. 28.3 of the GDPR. The column in the right makes reference to the additional aspects that, according to the EDPB, should be included in the contract in relation to those obligations.

Processor’s obligation under Art. 28(3) GDPR

Aspects to be added

processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organization…” (Art. 28(3)(a))

  1. A procedure and a template for giving further instructions. Alternatively, the agreement can state that the controller may provide instructions in any written form (e.g. e-mail), as long as it is possible to keep records of such instructions.
  2. The requirements for transfers to third countries or international organizations, taking into account the provisions of Chapter V (on transfers outside the European Union) of the GDPR.

“ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality” (Art. 28(3)(b))

The guidelines do not mention any specific addition to this obligation.

“takes all measures required pursuant to Article 32” [security measures] (Art. 28(3)(c))

  1. Controller’s description of the processing activities and security objectives.
  2. Information as to the security measures to be adopted.
  3. Processor’s obligation to obtain the controller’s approval before changing the security measures.
  4. A regular review by the processor of the security measures.

“respects the conditions referred to in paragraphs 2 and 4 for engaging another processor” [only with prior written authorization – general or specific – of the controller, and imposing on the other processor the same data protection obligations as those vis-à-vis the controller] (Art. 28(3)(d))

  1. In case of controller’s general authorization: the process for changing processors with the controller’s right to object.
  2. In case of controller’s specific authorization: (i) the process for obtaining such authorization; and (ii) specification of which sub-processors and what processing activities the authorization refers to.
  3. Details as to the timeframe for the controller’s approval or objection and as how the parties intend to communicate regarding this topic (e.g. templates).
  4. The list of intended sub-processors, including their locations, description of what they will be doing and proof of the implemented safeguards.

“…assists the controller (…) for the fulfilment of the (…) obligation to respond to requests for exercising the data subject’s rights” (Art. 28(3)(e))

  1. Details concerning the assistance to be provided by the processor.
  2. If the processor is going to deal with data subjects’ requests, clear instructions for the assessment of whether the requests are admissible and/or whether the requirements set by the GDPR are fulfilled.

assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36…” [security measures, notification of data breach and data protection impact assessments] (Art. 28(3)(f))

  1. Details as to how the processor is asked to help the controller meet the listed obligations (e.g. procedures and template forms, allowing the processor to provide all info to the controller).
  2. For breaches: point of contact, a specific time frame of notification (e.g. number of hours), and details as to how the notification should be made.

at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing…” (Art. 28(3)(g))

  1. The process for providing controller’s instructions as to whether personal data shall be deleted or returned.
  2. The possibility for the data controller to change the choice before the end of the provision of services related to the processing.

makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller” (Art. 28(3)(h) GDPR)

  1. Details on how often and how the flow of information between the processor and the controller should take place.
  2. Details regarding the controller’s ability to carry out inspections and audits and the processor’s duty to assist.
  3. Specific procedures regarding the processor’s and the controller’s inspection of sub-processors.

…the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions” (Art. 28(3), subparagraph 2)

Consequences of the processor’s notification of an unlawful instruction, given by the controller (e.g. termination of the contract if the controller persists with the unlawful instruction).

The level of detail and/or complexity of the measures and procedures to be included in the agreements should not always be the same. As the guidelines state, these measures and procedures should be tailored to each specific situation. For instance, there is no need to impose particularly stringent protections and procedures on a processor entrusted with a processing activity from which only minor risks arise.  In any event, from now on those wishing to observe the EDPB’s recommendations should spend some time rethinking and renegotiating their processing agreements.

Cart Item Removed. Undo
  • No products in the cart.