RGPD

What the GDPR brings to drafting data processing agreements

The adoption of the General Data Protection Regulation (GDPR) has created additional obligations for processors and controllers, to which data processing agreements must adapt.

Contents
Schedule a discussion

Reading time:

3 min

The adoption of the General Data Protection Regulation (GDPR) has created additional obligations for processors and controllers, to which data processing agreements must adapt.

These new rules have prompted a growing awareness of the responsibilities and obligations relating to data processing, illustrated in particular by the development of standard contractual clauses by processors.

Understanding your role as a GDPR processor

Where one entity handles personal data on behalf of another, it is regarded as a processor under the GDPR. The same applies to "turnkey" solutions that process personal data.

Here, in carrying out its assignments, the web development agency has access to the personal data of the clients of its business clients.

As a result, this IT provider must ensure that it complies with the instructions set by the controller (the business that owns the website or application) and must set out the various obligations incumbent on each of them on the basis of the applicable rules (Articles 4.7, 4.8 and 28.10 of the GDPR).

However, if the processor uses the data from this processing for its own purposes (e.g. customer management, accounting), it is regarded as a controller for that specific processing.

Why is it crucial to have a clear GDPR contract?

The controller and the processor must draw up a contract that includes several mandatory provisions under Article 28 of the GDPR.

The role of a qualified lawyer in this process is to organise the respective obligations of the two parties, to incorporate all the mandatory provisions according to the situation, and to give effect to these obligations.

How to define and frame the data processing?

Your GDPR contract must clearly define the subject matter, duration, nature and purpose of the processing, as well as the categories of data and of data subjects.

Any processing operation not provided for in the contract requires written instructions from the controller or a renegotiation of the contract.

This contract also makes it possible to set out the conditions under which the IT provider may engage other processors.

Ensuring GDPR-compliant processing with the help of a lawyer

Indeed, procedures may be put in place in order to document, make available to the controller at any time documents evidencing compliance with the GDPR, or to ensure that:

  • the processor uses GDPR-compliant tools;
  • technical security is maintained;
  • the processor assists the controller in responding to requests from data subjects to exercise their rights in connection with the collection;
  • the controller's instructions are given in writing;
  • the processor maintains and draws up a record of processing activities on behalf of the controller.

The obligations are numerous and must be complied with by the processor in the course of its activities.

In short, navigating the sometimes murky waters of the GDPR can be complex.

Whether you are a controller or a processor, working with a GDPR lawyer to draft your data processing agreement will secure your operations by enabling you to comply with the rules and protect the personal data you process.

If you have any further questions or need assistance drafting your GDPR data processing agreement, please do not hesitate to contact me.

To learn more

What is a processor within the meaning of the GDPR?

The GDPR defines a processor as any entity that processes personal data on behalf of a controller. A web agency that accesses the data of its clients' customers is a processor. Turnkey solutions that process personal data are too. This status carries its own obligations.

Is a web agency a processor or a controller?

It depends on how the data is used. Where it processes the data according to its client's instructions, the agency is a processor. But if it uses that data for its own purposes (customer management, accounting), it becomes a controller for that specific processing. The classification can therefore vary depending on the operations.

Is a GDPR data processing agreement mandatory?

Yes. Article 28 of the GDPR requires a contract between the controller and the processor, containing mandatory provisions. This contract frames each party's obligations and conditions the compliance of the processing arrangement. Its absence constitutes a breach, exposing both parties to liability in the event of a CNIL audit.

What must a GDPR data processing agreement define?

The contract must define the subject matter, duration, nature and purpose of the processing, as well as the categories of data and of data subjects. Any operation not provided for requires written instructions from the controller or a renegotiation. It also frames the possible engagement of other processors.

What obligations rest on the processor under Article 28?

The processor must act on written instructions, ensure technical security, assist the controller in responding to requests to exercise data subjects' rights, document its compliance, maintain a record on behalf of the controller and use only compliant tools. It must also notify breaches and allow audits.

Can the processor engage another processor?

Yes, but in a controlled manner. The contract must set out the conditions for engaging a sub-processor, which in principle requires the controller's authorisation and the transfer of the same data protection obligations. This processing chain must remain under control in order to preserve overall compliance.

What happens if an operation is not provided for in the contract?

Any processing operation not provided for in the contract requires written instructions from the controller or a renegotiation of the contract. The processor cannot decide alone on new purposes or new uses of the data. This framework protects the controller and strictly delimits the processor's role.

Why have your data processing agreement drafted by a lawyer?

Because Article 28 of the GDPR requires specific provisions and a rigorous organisation of obligations. A lawyer tailors the contract to the actual situation, incorporates all the mandatory provisions and sets up the procedures for evidencing compliance. This secures operations and protects the data processed in the event of an audit.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

6 min

Inter-trade reserves in the wine sector: price regulation under debate
In a context where agricultural markets, and the wine sector in particular, are experiencing significant price fluctuations, the issue of inter-trade reserves is emerging forcefully. The French Competition Authority was recently asked to assess the possibility of putting in pl

14 min

Internationalizing your franchise network: a complete legal guide for ambitious franchisors
Internationalizing your franchise network is the natural culmination for a franchise network. Read this complete guide!

9 min

E-commerce disputes: how to effectively prevent and manage conflicts with your customers?
In the world of e-commerce, even the most rigorous businesses can find themselves facing commercial disputes. Delivery delays, damaged products, payment chargebacks or misunderstandings about an item's features — the potential sources of conflict are

4 min

Context and challenges of generative AI in intellectual property matters
How should intellectual property, traditionally intended to protect works, be approached in relation to generative AI?

15 min

Outsourced DPO: duties, fees and trade-offs with an internal DPO
Since the General Data Protection Regulation (GDPR) came into force on 25 May 2018, appointing a Data Protection Officer (DPO) has become one of the pillars of compliance for organisations processing personal data. Yet many managers of

4 min

Regulatory developments in franchising in 2025: what franchisors and franchisees absolutely need to know
The world of franchising is constantly experiencing legal developments that can significantly impact the relationships between franchisors and franchisees. In 2025, several major regulatory changes have reshaped the landscape of this popular business model.
Prendre rendez-vous
Book an appointment