Data ProtectionPrivacy

Need a GDPR compliant data processing agreement?

A proper drafted data processing agreement is crucial to adequately protect data controllers

A GDPR compliant data processing agreement is a complex puzzle to solve, but here is a good template that might ease your life!

I already covered in this previous blog post “New risks for tech suppliers with the GDPR?“, the issues about how the GDPR poses new liabilities for suppliers, including gaming affiliates. But how to regulate them?

The drafting of a data processing agreement (or a letter of appointment as data processor, as it is commonly called in Italy) used to be quite straight forward before the adoption of the EU General Data Protection Regulation. But, the GDPR sets very stringent requirements to follow.

This is not only because of the list of minimum contents of the data processing agreement expressly provided by article 28 of the EU Privacy Regulation but also because the GDPR provides a number of obligations on data processors that need to adequately regulated in the data processing agreement. Also, the matter is even more complex since data protection authorities did not issue any guidance on it.

In order to help companies to comply with new requirements, my law firm contributed as part of the International Regulatory Strategy Group to draft a sample data processing agreement which is freely available at this link.

This is not meant to be legal advice and further customizations might be needed to

  • adapt the data processing agreement to the specific business of the data processor e.g. the same data processing agreement cannot be drafted for an IT supplier, a payroll provider or an insurance agency;
  • provide for a checklist in order to assess the level of compliance of the supplier with privacy laws, including the adequacy of technical requirements to meet standards imposed by the EU General Data Protection Regulation; and
  • prescribe a procedure to notify data breaches, also prescribing a template notification form in order to ensure that the information to be potentially submitted to the data protection authority and to investigate on the data breach is immediately communicated through a dedicated channel of communication to ensure that the plan aimed at minimizing the negative effects of the data breach is immediately activated.

Don't miss our weekly insights

Tags
Show More

Giulio Coraggio

I am the head of the Italian Technology sector and the global head of the IoT and Gaming and Gambling groups at the world-leading law firm DLA Piper. IoT and artificial intelligence influencer and FinTech and blockchain expert, finding solutions to what's next for our clients' success.

Related Articles

Back to top button
Close