# Data Processing Clause

Source: https://contracko.com/clause-library/data-processing

# Data Processing Clause

Governs how a processor handles personal data for a controller, as required by GDPR Article 28.

## What it is

A data processing clause or agreement (DPA) sets the controller-processor terms required by GDPR Article 28: subject matter, duration, instructions, security measures, sub-processing, breach notification and deletion. It is mandatory whenever one party processes personal data on another's behalf.

## Why it matters

Without a compliant DPA, both parties breach the GDPR and risk fines and liability for data subjects' claims. The clause allocates security duties and breach-notification timing, which is critical when a data incident occurs.

## How to apply it

- Document the nature, purpose, duration and categories of data and data subjects.
- Require processing only on documented instructions and appropriate security measures.
- Set sub-processor approval, breach-notification timing and audit rights.
- Address international transfers with an appropriate safeguard (e.g. SCCs).

## Sample wording

> The Processor shall process Personal Data only on the Controller's documented instructions, implement appropriate technical and organisational measures, and notify the Controller without undue delay of any personal data breach.

## Negotiation tips

- • Controllers should require prompt breach notice (e.g. within 24 to 48 hours) and audit rights.
- • Processors should pre-list approved sub-processors and use a change-notification mechanism.

## Common pitfalls

- • Treating the DPA as optional boilerplate rather than a mandatory GDPR requirement.
- • Ignoring international transfer safeguards when the processor sits outside the EEA.

### How Contracko helps

Contracko's AI review extracts data processing clauses from your vendor and SaaS contracts and flags any that are missing a sub-processor list, audit rights or breach-notification deadline. All DPAs are held in a central, searchable repository so your privacy team can quickly confirm coverage and locate specific agreements during a supervisory authority audit or a data incident.

## Legal references

- [GDPR Art. 28 GDPR: processor obligations EU law](https://eur-lex.europa.eu/eli/reg/2016/679/oj)
- Dutch GDPR Implementation Act (Uitvoeringswet AVG)

Unless marked otherwise, references are to Dutch law (Burgerlijk Wetboek, the Dutch Civil Code); EU instruments such as the GDPR apply across the EU. This is general information, not legal advice. Other jurisdictions treat these concepts differently. Verify the current text and your situation with a qualified lawyer.

## Relevant for

[Software & SaaS](https://contracko.com/industries/software-saas)[AI & Data Companies](https://contracko.com/industries/ai-data)[Healthcare](https://contracko.com/industries/healthcare)[Financial Services](https://contracko.com/industries/financial-services)[Managed Service Providers](https://contracko.com/industries/managed-service-providers)

## Related clauses

- [Confidentiality Clause](https://contracko.com/clause-library/confidentiality)
- [Limitation of Liability Clause](https://contracko.com/clause-library/limitation-of-liability)
- [Indemnification Clause](https://contracko.com/clause-library/indemnification)

## Related terms

- [Data processing agreement (DPA)](https://contracko.com/glossary/data-processing-agreement)
- [GDPR](https://contracko.com/glossary/gdpr)
- [Confidential information](https://contracko.com/glossary/confidential-information)

### Never miss a contract deadline again

- AI finds renewal and notice dates
- Risks and obligations are surfaced automatically
- Reminders help you act before dates slip

Drop a contract to start

PDF, DOCX, PNG, or JPG

[Start 7-day trial](https://app.contracko.com/register?appLanguage=en&utm_source=clause_library_sidebar&utm_medium=lead_magnet&utm_campaign=clause_library_sidebar_contract_upload&content_slug=data-processing&content_title=Data+Processing+Clause&cta_placement=clause_library_sidebar_cta&source_tool=clause_library_sidebar_data-processing)

GDPR compliant. Encrypted. Never used for AI training.

## Frequently asked questions

Common questions about this clause.

- **Q:** When is a data processing agreement required?
  **A:** Whenever one party processes personal data on behalf of another; GDPR Article 28 makes a written agreement mandatory for that controller-processor relationship.

- **Q:** How fast must a data breach be reported between the parties?
  **A:** The processor must notify the controller without undue delay; many DPAs fix a hard deadline (often 24 to 72 hours) so the controller can meet its own reporting duty.

- **Q:** Does a DPA need to be updated when a new sub-processor is added?
  **A:** Yes. The processor must inform the controller in advance and allow a reasonable objection period; simply updating a website list without prior notice may not satisfy the obligation.

- **Q:** Can a processor transfer data outside the EEA?
  **A:** Only with an appropriate safeguard such as Standard Contractual Clauses (SCCs), an adequacy decision or Binding Corporate Rules. The DPA should specify the transfer mechanism used.

- **Q:** What happens if a processor acts outside the controller's instructions?
  **A:** The processor may become an independent controller for that processing and bear full GDPR liability for it, including potential fines and data subject claims.

## Never miss a risky clause again

Contracko automatically reviews every contract for this clause and the obligations it creates.

[Start 7-day free trial](https://app.contracko.com/register?appLanguage=en)

Book demo
