According to the EU General Data Protection Regulation (GDPR), every company that wants a service provider to process personal data on the company’s behalf must have a data protection contract (i.e. an agreement or a contract for data processing on behalf of a controller). Such processors may be salary-accounting offices, data-carrier providers, advertising and marketing agencies, cloud computing providers, web or e-mail hosting companies or freelancers. The free data protection contract template from activeMind.legal helps both parties engaged in the processing of personal data provide the necessary clarity – for controllers and processors.
The GDPR has increased the obligations for both controllers and processors. One obligation is to enter into a legally binding contract governing the processing of personal data when a processor (principal or agent) is commissioned to process personal data as instructed by the controller (client).
The data protection contract specifies the rights and obligations of the controller and the processor as well as sub-processors, if applicable. In this way, it is easier to meet the accountability and joint-liability requirements of the GDPR.
The agreement for processing on behalf of a controller ensures that all parties involved properly process personal data; it establishes the primary requirements for the processor to adhere to prior to processing data on behalf of the controller. Thus, among other stipulations, the contract guarantees that the processor only processes the data entrusted to him/her for the purposes for which the controller collected the data. Above all, the processor is obligated to protect the data to an adequate extent. In order to ensure that this level of data protection is actually provided by the processor, the controller is granted comprehensive supervisory rights in the contract.
The data protection agreement has to be adapted to the respective processors and his/her functions. An important component of the contract is an appendix that details the technical and organizational measures with which the processor guarantees the data protection and information security of the data provided.