When is a data processing agreement required?

Whenever one party processes personal data on behalf of another; GDPR Article 28 makes a written agreement mandatory for that controller-processor relationship.

How fast must a data breach be reported between the parties?

The processor must notify the controller without undue delay; many DPAs fix a hard deadline (often 24 to 72 hours) so the controller can meet its own reporting duty.

Does a DPA need to be updated when a new sub-processor is added?

Yes. The processor must inform the controller in advance and allow a reasonable objection period; simply updating a website list without prior notice may not satisfy the obligation.

Can a processor transfer data outside the EEA?

Only with an appropriate safeguard such as Standard Contractual Clauses (SCCs), an adequacy decision or Binding Corporate Rules. The DPA should specify the transfer mechanism used.

What happens if a processor acts outside the controller's instructions?

The processor may become an independent controller for that processing and bear full GDPR liability for it, including potential fines and data subject claims.

Data Processing Clause

Governs how a processor handles personal data for a controller, as required by GDPR Article 28.

Cos'e

A data processing clause or agreement (DPA) sets the controller-processor terms required by GDPR Article 28: subject matter, duration, instructions, security measures, sub-processing, breach notification and deletion. It is mandatory whenever one party processes personal data on another's behalf.

Perché conta

Without a compliant DPA, both parties breach the GDPR and risk fines and liability for data subjects' claims. The clause allocates security duties and breach-notification timing, which is critical when a data incident occurs.

Come applicarla

Document the nature, purpose, duration and categories of data and data subjects.
Require processing only on documented instructions and appropriate security measures.
Set sub-processor approval, breach-notification timing and audit rights.
Address international transfers with an appropriate safeguard (e.g. SCCs).

Testo di esempio

The Processor shall process Personal Data only on the Controller's documented instructions, implement appropriate technical and organisational measures, and notify the Controller without undue delay of any personal data breach.

Consigli per la negoziazione

• Controllers should require prompt breach notice (e.g. within 24 to 48 hours) and audit rights.
• Processors should pre-list approved sub-processors and use a change-notification mechanism.

Errori frequenti

• Treating the DPA as optional boilerplate rather than a mandatory GDPR requirement.
• Ignoring international transfer safeguards when the processor sits outside the EEA.

Riferimenti normativi

GDPR Art. 28 GDPR: processor obligations Diritto UE
Dutch GDPR Implementation Act (Uitvoeringswet AVG)

Salvo diversa indicazione, i riferimenti riguardano il diritto olandese (Burgerlijk Wetboek, il Codice Civile olandese); gli strumenti UE come il GDPR si applicano in tutta l'UE. Si tratta di informazioni generali, non di consulenza legale. Altre giurisdizioni trattano questi concetti in modo diverso. Verifichi il testo vigente e la propria situazione con un avvocato qualificato.

Domande frequenti

Domande comuni su questa clausola.