The GDPR Data Processing Agreement under Article 28
GDPR requires that controllers establish a written data processor agreement before allowing a third-party vendor to conduct processing of personal data. The terms and requirements of these agreements are specified in Article 28 of the General Data Protection Regulation.
The eight items that the written contract must specifically detail:
The Processor only processes personal data on documented instructions from the controller unless the law requires a different act, and under such circumstances the processor shall notify the controller of the legal requirement before processing unless the law prohibits such information on public interest grounds. This also applies to the transfer of personal data to a third country or international organization.
The processor must ensure that individuals authorized to process the data have a confidentiality obligation.
The processor must take all measures required by Article 32 governing data protection and cybersecurity.
The processor shall not engage another processor without authorization and shall ensure that the data protection obligations set out in the contract between the controller and the processor shall be imposed on the new processor. Specifically, the processor must not engage another processor without prior specific or general written authroization of the controller. If the authorization by the controller is general, the controller needs to be informed of the change (either addition or replacement) of processors and given an opportunity to object. This is consistent with the requirement placing obligations to ensure GDPR compliance and vendor management on the controller.
The processor shall assist the controller in the fulfillment of the obligation to respond to the exercise of data subject rights.
The processor shall assist the controller in ensuring compliance with the obligations set forth in Articles 32 through 36.
The processor shall delete or return all personal data to the controller at the end of the processing services, at the choice of the controller.
The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations of GDPR Article 28. This point includes immediatley informing the controller if an instruction infringes the GDPR or other European data protection provision.
Other Components of the Data Processor Agreement
The agreement between the controller and processor shall also set forth the subject matter of processing, the duration, the type of personal data to be processed, the categories of data subjections, and the obligations and rights of the controller.
Other Obligations of Controllers concerning Data Processing Agreements
Controllers must ensure that processing happens pursuant to the terms of GDPR.
Controllers shall use only processors with sufficient guarantees to meet the terms of GDPR and ensure the protection of data subject rights.
Improve Data Privacy for GDPR or CCPA with Clarip
The Clarip team and enterprise privacy management software are ready to meet your compliance automation challenges. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If compliance with the California Consumer Privacy Act is your focus until 2020, ask us about our CCPA software. Handle automation of data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with the consent management software.
Need to improve your GDPR compliance solution? Clarip offers modular GDPR software that can fill in gaps in your privacy program. Choose from the data mapping software for an automated solution to understanding your data collection and sharing, conduct privacy risk assessments with DPIA software, or choose the cookie consent manager for ePrivacy.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.
Vendor Risk Management Software
GDPR Vendor Management & Third Party Privacy Risk Assessment
Risk and Control Self Assessment Framework for Privacy
Vendor Audit Process
Service Providers and the CCPA Right to Opt Out
What is a Data Processor under GDPR?
Differences between a GDPR Data Controller vs. Data Processor