A GDPR compliant data processing agreement is a complex puzzle to solve, but here is a good template that might ease your life!
This blog post is part of my series of articles on the General Data Protection Regulation (the GDPR) listed below that you may find interesting
I already covered in this previous blog post “New risks for tech suppliers with the GDPR?“, the issues about how the GDPR poses new liabilities for suppliers, including gaming affiliates. But how to regulate them?
The drafting of a data processing agreement (or a letter of appointment as data processor, as it is commonly called in Italy) used to be quite straight forward before the adoption of the EU General Data Protection Regulation. But, the GDPR sets very stringent requirements to follow.
This is not only because of the list of minimum contents of the data processing agreement expressly provided by article 28 of the EU Privacy Regulation but also because the GDPR provides a number of obligations on data processors that need to adequately regulated in the data processing agreement. Also, the matter is even more complex since data protection authorities did not issue any guidance on it.
In order to help companies to comply with new requirements, my law firm contributed as part of the International Regulatory Strategy Group to draft a sample data processing agreement which is freely available at this link.
This is not meant to be legal advice and further customizations might be needed to
- adapt the data processing agreement to the specific business of the data processor e.g. the same data processing agreement cannot be drafted for an IT supplier, a payroll provider or an insurance agency;
- provide for a checklist in order to assess the level of compliance of the supplier with privacy laws, including the adequacy of technical requirements to meet standards imposed by the EU General Data Protection Regulation; and
- prescribe a procedure to notify data breaches, also prescribing a template notification form in order to ensure that the information to be potentially submitted to the data protection authority and to investigate on the data breach is immediately communicated through a dedicated channel of communication to ensure that the plan aimed at minimizing the negative effects of the data breach is immediately activated.