Data ProtectionPrivacy

Need a GDPR compliant data processing agreement?

A proper drafted data processing agreement is crucial to adequately protect data controllers

A GDPR compliant data processing agreement is a complex puzzle to solve, but here is a good template that might ease your life!

This blog post is part of my series of articles on the General Data Protection Regulation (the GDPR) listed below that you may find interesting

#1 Which companies shall care about the GDPR?

#2 Will GDPR fines be really massive?

#3 Did you run a privacy impact assessment?

#4 New privacy risks for tech suppliers

#5 What changes with the GDPR one stop shop rule?

#6 How the new privacy data portability right impacts your industry

#7 What issues for Artificial Intelligence with the GDPR?

#8 How to get the best out of data at the time of the GDPR?

#9 Are you able to monitor your suppliers, agents and shops?

#10 What liabilities for the data protection officer?

#11 Are you able to handle a data breach?

#12 Privacy by design, how to do it?

#13 How data on criminal convictions of employees become a privacy risk

#14 Red flag from privacy authorities on technologies at work under the GDPR

#15 Need a GDPR compliant data processing agreement?

#16 Is your customers’ data protected from your employees?

#18 Data retention periods, an intrigued rebus under the GDPR

#19 Legitimate interest and privacy consent, how to use them?

#20 How privacy consent changes with the GDPR?

#21 Privacy information notice: how to make it transparent when it’s complex?

#22 How direct marketing changes wih the GDPR?

I already covered in this previous blog post “New risks for tech suppliers with the GDPR?“, the issues about how the GDPR poses new liabilities for suppliers, including gaming affiliates. But how to regulate them?

The drafting of a data processing agreement (or a letter of appointment as data processor, as it is commonly called in Italy) used to be quite straight forward before the adoption of the EU General Data Protection Regulation. But, the GDPR sets very stringent requirements to follow.

This is not only because of the list of minimum contents of the data processing agreement expressly provided by article 28 of the EU Privacy Regulation but also because the GDPR provides a number of obligations on data processors that need to adequately regulated in the data processing agreement. Also, the matter is even more complex since data protection authorities did not issue any guidance on it.

In order to help companies to comply with new requirements, my law firm contributed as part of the International Regulatory Strategy Group to draft a sample data processing agreement which is freely available at this link.

This is not meant to be legal advice and further customizations might be needed to

  • adapt the data processing agreement to the specific business of the data processor e.g. the same data processing agreement cannot be drafted for an IT supplier, a payroll provider or an insurance agency;
  • provide for a checklist in order to assess the level of compliance of the supplier with privacy laws, including the adequacy of technical requirements to meet standards imposed by the EU General Data Protection Regulation; and
  • prescribe a procedure to notify data breaches, also prescribing a template notification form in order to ensure that the information to be potentially submitted to the data protection authority and to investigate on the data breach is immediately communicated through a dedicated channel of communication to ensure that the plan aimed at minimizing the negative effects of the data breach is immediately activated.

Don't miss our weekly insights

Show More

Giulio Coraggio

I am the head of the Italian Technology sector and the global head of the IoT and Gaming and Gambling groups at the world leading law firm DLA Piper. Top global IoT influencer and FinTech lover, finding solutions to what's next for our clients' success.

Related Articles

Back to top button