When is a data processing agreement required?

Whenever one party processes personal data on behalf of another; GDPR Article 28 makes a written agreement mandatory for that controller-processor relationship.

How fast must a data breach be reported between the parties?

The processor must notify the controller without undue delay; many DPAs fix a hard deadline (often 24 to 72 hours) so the controller can meet its own reporting duty.

Does a DPA need to be updated when a new sub-processor is added?

Yes. The processor must inform the controller in advance and allow a reasonable objection period; simply updating a website list without prior notice may not satisfy the obligation.

Can a processor transfer data outside the EEA?

Only with an appropriate safeguard such as Standard Contractual Clauses (SCCs), an adequacy decision or Binding Corporate Rules. The DPA should specify the transfer mechanism used.

What happens if a processor acts outside the controller's instructions?

The processor may become an independent controller for that processing and bear full GDPR liability for it, including potential fines and data subject claims.

Data Processing Clause

Governs how a processor handles personal data for a controller, as required by GDPR Article 28.

Qué es

A data processing clause or agreement (DPA) sets the controller-processor terms required by GDPR Article 28: subject matter, duration, instructions, security measures, sub-processing, breach notification and deletion. It is mandatory whenever one party processes personal data on another's behalf.

Por qué importa

Without a compliant DPA, both parties breach the GDPR and risk fines and liability for data subjects' claims. The clause allocates security duties and breach-notification timing, which is critical when a data incident occurs.

Cómo aplicarla

Document the nature, purpose, duration and categories of data and data subjects.
Require processing only on documented instructions and appropriate security measures.
Set sub-processor approval, breach-notification timing and audit rights.
Address international transfers with an appropriate safeguard (e.g. SCCs).

Ejemplo de redacción

The Processor shall process Personal Data only on the Controller's documented instructions, implement appropriate technical and organisational measures, and notify the Controller without undue delay of any personal data breach.

Consejos de negociación

• Controllers should require prompt breach notice (e.g. within 24 to 48 hours) and audit rights.
• Processors should pre-list approved sub-processors and use a change-notification mechanism.

Errores frecuentes

• Treating the DPA as optional boilerplate rather than a mandatory GDPR requirement.
• Ignoring international transfer safeguards when the processor sits outside the EEA.

Referencias legales

GDPR Art. 28 GDPR: processor obligations Derecho de la UE
Dutch GDPR Implementation Act (Uitvoeringswet AVG)

Salvo indicación en contrario, las referencias remiten al derecho neerlandés (Burgerlijk Wetboek, el Código Civil neerlandés); los instrumentos de la UE como el RGPD se aplican en toda la UE. Se trata de información general, no de asesoramiento legal. Otras jurisdicciones tratan estos conceptos de forma distinta. Verifique el texto vigente y su situación con un abogado cualificado.

Preguntas frecuentes

Preguntas comunes sobre esta cláusula.