02 Aug Need a GDPR compliant data processing agreement?
GDPR compliant data processing agreements are a complex puzzle to solve, but here is a good template that might ease your life!
This blog post is part of my series of articles on the General Data Protection Regulation (the GDPR) listed below that you may find interesting
The drafting of a data processing agreement (or a letter of appointment as data processor, as it is commonly called in Italy) used to be quite straight forward before the adoption of the EU General Data Protection Regulation. But, the GDPR sets very stringent requirements to follow.
This is not only because of the list of minimum contents of the data processing agreement expressly provided by article 28 of the EU Privacy Regulation, but also because the GDPR provides a number of obligations on data processors that need to adequately regulated in the data processing agreement. Also, the matter is even more complex since data protection authorities did not issue any guidance on it.
In order to help companies to comply with new requirements, my law firm contributed as part of International Regulatory Strategy Group to draft a sample data processing agreement which is freely available at this link.
This is not meant to be legal advice and further customisations might be needed to
- adapt the data processing agreement to the specific business of the data processor e.g. the same data processing agreement cannot be drafted for an IT supplier, a payroll provider or an insurance agency;
- provide for a checklist in order to assess the level of compliance of the supplier with privacy laws, including the adequacy of technical requirements to meet standards imposed by the EU General Data Protection Regulation; and
- prescribe a procedure to notify data breaches, also prescribing a template notification form in order to ensure that the information to be potentially submitted to the data protection authority and to investigate on the data breach is immediately communicated through a dedicated channel of communication to ensure that the plan aimed at minimising the negative effects of the data breach is immediately activated.
As usual, if you found this article interesting, please share it on your favorite social media and register to our newsletter ✉️