When is a data processing agreement required?

Whenever one party processes personal data on behalf of another; GDPR Article 28 makes a written agreement mandatory for that controller-processor relationship.

How fast must a data breach be reported between the parties?

The processor must notify the controller without undue delay; many DPAs fix a hard deadline (often 24 to 72 hours) so the controller can meet its own reporting duty.

Does a DPA need to be updated when a new sub-processor is added?

Yes. The processor must inform the controller in advance and allow a reasonable objection period; simply updating a website list without prior notice may not satisfy the obligation.

Can a processor transfer data outside the EEA?

Only with an appropriate safeguard such as Standard Contractual Clauses (SCCs), an adequacy decision or Binding Corporate Rules. The DPA should specify the transfer mechanism used.

What happens if a processor acts outside the controller's instructions?

The processor may become an independent controller for that processing and bear full GDPR liability for it, including potential fines and data subject claims.

Data Processing Clause

Governs how a processor handles personal data for a controller, as required by GDPR Article 28.

O que é

A data processing clause or agreement (DPA) sets the controller-processor terms required by GDPR Article 28: subject matter, duration, instructions, security measures, sub-processing, breach notification and deletion. It is mandatory whenever one party processes personal data on another's behalf.

Porque é importante

Without a compliant DPA, both parties breach the GDPR and risk fines and liability for data subjects' claims. The clause allocates security duties and breach-notification timing, which is critical when a data incident occurs.

Como aplicar

Document the nature, purpose, duration and categories of data and data subjects.
Require processing only on documented instructions and appropriate security measures.
Set sub-processor approval, breach-notification timing and audit rights.
Address international transfers with an appropriate safeguard (e.g. SCCs).

Exemplo de redação

The Processor shall process Personal Data only on the Controller's documented instructions, implement appropriate technical and organisational measures, and notify the Controller without undue delay of any personal data breach.

Dicas de negociação

• Controllers should require prompt breach notice (e.g. within 24 to 48 hours) and audit rights.
• Processors should pre-list approved sub-processors and use a change-notification mechanism.

Erros frequentes

• Treating the DPA as optional boilerplate rather than a mandatory GDPR requirement.
• Ignoring international transfer safeguards when the processor sits outside the EEA.

Referências jurídicas

GDPR Art. 28 GDPR: processor obligations Direito da UE
Dutch GDPR Implementation Act (Uitvoeringswet AVG)

Salvo indicação em contrário, as referências remetem para o direito neerlandês (Burgerlijk Wetboek, o Código Civil neerlandês); os instrumentos da UE, como o RGPD, aplicam-se em toda a UE. Esta é informação geral, não constitui aconselhamento jurídico. Outras jurisdições tratam estes conceitos de forma diferente. Verifique o texto em vigor e a sua situação com um advogado qualificado.

Perguntas frequentes

Questões comuns sobre esta cláusula.