When is a data processing agreement required?

Whenever one party processes personal data on behalf of another; GDPR Article 28 makes a written agreement mandatory for that controller-processor relationship.

How fast must a data breach be reported between the parties?

The processor must notify the controller without undue delay; many DPAs fix a hard deadline (often 24 to 72 hours) so the controller can meet its own reporting duty.

Does a DPA need to be updated when a new sub-processor is added?

Yes. The processor must inform the controller in advance and allow a reasonable objection period; simply updating a website list without prior notice may not satisfy the obligation.

Can a processor transfer data outside the EEA?

Only with an appropriate safeguard such as Standard Contractual Clauses (SCCs), an adequacy decision or Binding Corporate Rules. The DPA should specify the transfer mechanism used.

What happens if a processor acts outside the controller's instructions?

The processor may become an independent controller for that processing and bear full GDPR liability for it, including potential fines and data subject claims.

Data Processing Clause

Governs how a processor handles personal data for a controller, as required by GDPR Article 28.

What it is

A data processing clause or agreement (DPA) sets the controller-processor terms required by GDPR Article 28: subject matter, duration, instructions, security measures, sub-processing, breach notification and deletion. It is mandatory whenever one party processes personal data on another's behalf.

Why it matters

Without a compliant DPA, both parties breach the GDPR and risk fines and liability for data subjects' claims. The clause allocates security duties and breach-notification timing, which is critical when a data incident occurs.

How to apply it

Document the nature, purpose, duration and categories of data and data subjects.
Require processing only on documented instructions and appropriate security measures.
Set sub-processor approval, breach-notification timing and audit rights.
Address international transfers with an appropriate safeguard (e.g. SCCs).

Sample wording

The Processor shall process Personal Data only on the Controller's documented instructions, implement appropriate technical and organisational measures, and notify the Controller without undue delay of any personal data breach.

Negotiation tips

• Controllers should require prompt breach notice (e.g. within 24 to 48 hours) and audit rights.
• Processors should pre-list approved sub-processors and use a change-notification mechanism.

Common pitfalls

• Treating the DPA as optional boilerplate rather than a mandatory GDPR requirement.
• Ignoring international transfer safeguards when the processor sits outside the EEA.

Legal references

GDPR Art. 28 GDPR: processor obligations EU law
Dutch GDPR Implementation Act (Uitvoeringswet AVG)

Unless marked otherwise, references are to Dutch law (Burgerlijk Wetboek, the Dutch Civil Code); EU instruments such as the GDPR apply across the EU. This is general information, not legal advice. Other jurisdictions treat these concepts differently. Verify the current text and your situation with a qualified lawyer.

Frequently asked questions

Common questions about this clause.