What should agreement between data controller and processor contain?

An agreement between a data controller and a data processor, often referred to as a Data Processing Agreement (DPA), must contain several essential clauses to ensure compliance with the General Data Protection Regulation (GDPR). Here are the key elements that should be included:

1. Subject Matter and Duration
- Subject Matter: Clearly define the scope of the data processing activities.
- Duration: Specify the duration for which the data processing will take place.

2. Nature and Purpose of Processing
- Nature: Describe the type of processing activities (e.g., collection, storage, analysis).
- Purpose: Explain the purpose of the data processing (e.g., customer service, marketing).

3. Types of Personal Data and Categories of Data Subjects
- Types of Data: List the types of personal data being processed (e.g., names, email addresses, health data).
- Categories of Data Subjects: Identify the categories of individuals whose data is being processed (e.g., customers, employees).

4. Obligations and Rights of the Controller
- Controller's Obligations: Outline the responsibilities of the data controller, such as ensuring the processor's compliance with GDPR.
- Rights of the Controller: Include the controller's rights to audit and inspect the processor's activities.

5. Processing Instructions - Documented Instructions: The processor must only process personal data based on the documented instructions from the controller.

6. Confidentiality
- Confidentiality Commitment: Ensure that all individuals who process the data are committed to confidentiality.

7. Security Measures
- Technical and Organizational Measures: Specify the security measures that the processor must implement to protect personal data, in line with Article 32 of the GDPR (e.g., encryption, pseudonymization).

8. Use of Sub-processors
- Authorization: The processor must not engage another processor without prior specific or general written authorization from the controller.
- Liability: The initial processor remains fully liable to the controller for the performance of the sub-processor's obligations.

9. Data Subjects' Rights
- Assistance: The processor must assist the controller in fulfilling its obligations to respond to data subjects' requests (e.g., access, rectification, erasure).

10. Data Breach Notification
- Notification: The processor must notify the controller without undue delay after becoming aware of a personal data breach.

11. Data Deletion and Return
- Post-Contract Obligations: Upon termination of the contract, the processor must delete or return all personal data to the controller, unless Union or Member State law requires storage of the personal data.

12. Demonstrating Compliance
- Audit Rights: The processor must make available all information necessary to demonstrate compliance with the obligations laid down in the agreement and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

Including these clauses in a Data Processing Agreement ensures that both the data controller and processor comply with GDPR requirements, thereby protecting the rights of data subjects and maintaining data security.

Join our partners for your wining Certified Chief Data Protection Officer training program.

Connect with them here https://www.bcaa.uk/partners.html