/ data protection / Need a GDPR compliant data processing agreement?

Need a GDPR compliant data processing agreement?


GDPR compliant data processing agreements are a complex puzzle to solve, but here is a good template that might ease your life!

I already covered in this blog post issues about how the GDPR poses new liabilities for suppliers, including gaming affiliates. But how to regulate them?

The drafting of a data processing agreement (or a letter of appointment as data processor, as it is commonly called in Italy) used to be quite straight forward before the adoption of the EU General Data Protection Regulation. But, the GDPR sets very stringent requirements to follow.

This is not only because of the list of minimum contents of the data processing agreement expressly provided by article 28 of the EU Privacy Regulation, but also because the GDPR provides a number of obligations on data processors that need to adequately regulated in the data processing agreement. Also, the matter is even more complex since data protection authorities did not issue any guidance on it.

In order to help companies to comply with new requirements, my law firm contributed as part of International Regulatory Strategy Group to draft a sample data processing agreement which is freely available at this link.

This is not meant to be legal advice and further customisations might be needed to

  • adapt the data processing agreement to the specific business of the data processor e.g. the same data processing agreement cannot be drafted for an IT supplier, a payroll provider or an insurance agency;
  • provide for a checklist in order to assess the level of compliance of the supplier with privacy laws, including the adequacy of technical requirements to meet standards imposed by the EU General Data Protection Regulation; and
  • prescribe a procedure to notify data breaches, also prescribing a template notification form in order to ensure that the information to be potentially submitted to the data protection authority and to investigate on the data breach is immediately communicated through a dedicated channel of communication to ensure that the plan aimed at minimising the negative effects of the data breach is immediately activated.

I hope that the template is useful. And on the same topic you may find also interesting my series of blog posts on the General Data Protection Regulation

#1 Which companies shall care about it?

#2 Will fines be really massive?

#3 Did you run a privacy impact assessment?

#4 New risks for tech suppliers

#5 What changes with the one stop shop rule?

#6 How the new privacy data portability right impacts your industry

#7 What issues for Artificial Intelligence?

#8 How to get the best out of data?

#9 Are you able to monitor your suppliers, agents and shops?

#10 What liabilities for the data protection officer?

#11 Are you able to handle a data breach?

#12 Privacy by design, how to do it?

#13 How data on criminal convictions of employees become a privacy risk

#14 Red flag from privacy authorities on technologies at work

#15 Need a GDPR compliant data processing agreement?

#16 Is your customers’ data protected from your employees?

#18 Data retention periods, an intrigued rebus under the GDPR

#19 Legitimate interest and privacy consent, how to use them?

#20 How privacy consent changes with the GDPR?

And as usual, if you found this article interesting, please share it on your favorite social media.


Follow me on LinkedIn – Facebook Page – Twitter – Telegram – YouTube  Google+


IT, gaming, privacy and commercial lawyer at the leading law firm DLA Piper. You can contact me via email at giulio.coraggio@gmail.com or giulio.coraggio@dlapiper.com or via phone at +39 334 688 1147.

Send Us A Message Here

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.