RGPD
The adoption of the General Data Protection Regulation (GDPR) has created additional obligations for processors and controllers, to which data processing agreements must adapt.
Reading time:
3 min
The adoption of the General Data Protection Regulation (GDPR) has created additional obligations for processors and controllers, to which data processing agreements must adapt.
These new rules have prompted a growing awareness of the responsibilities and obligations relating to data processing, illustrated in particular by the development of standard contractual clauses by processors.
Where one entity handles personal data on behalf of another, it is regarded as a processor under the GDPR. The same applies to "turnkey" solutions that process personal data.
Here, in carrying out its assignments, the web development agency has access to the personal data of the clients of its business clients.
As a result, this IT provider must ensure that it complies with the instructions set by the controller (the business that owns the website or application) and must set out the various obligations incumbent on each of them on the basis of the applicable rules (Articles 4.7, 4.8 and 28.10 of the GDPR).
However, if the processor uses the data from this processing for its own purposes (e.g. customer management, accounting), it is regarded as a controller for that specific processing.
The controller and the processor must draw up a contract that includes several mandatory provisions under Article 28 of the GDPR.
The role of a qualified lawyer in this process is to organise the respective obligations of the two parties, to incorporate all the mandatory provisions according to the situation, and to give effect to these obligations.
Your GDPR contract must clearly define the subject matter, duration, nature and purpose of the processing, as well as the categories of data and of data subjects.
Any processing operation not provided for in the contract requires written instructions from the controller or a renegotiation of the contract.
This contract also makes it possible to set out the conditions under which the IT provider may engage other processors.
Indeed, procedures may be put in place in order to document, make available to the controller at any time documents evidencing compliance with the GDPR, or to ensure that:
The obligations are numerous and must be complied with by the processor in the course of its activities.
Whether you are a controller or a processor, working with a GDPR lawyer to draft your data processing agreement will secure your operations by enabling you to comply with the rules and protect the personal data you process.
If you have any further questions or need assistance drafting your GDPR data processing agreement, please do not hesitate to contact me.
To learn more
The GDPR defines a processor as any entity that processes personal data on behalf of a controller. A web agency that accesses the data of its clients' customers is a processor. Turnkey solutions that process personal data are too. This status carries its own obligations.
It depends on how the data is used. Where it processes the data according to its client's instructions, the agency is a processor. But if it uses that data for its own purposes (customer management, accounting), it becomes a controller for that specific processing. The classification can therefore vary depending on the operations.
Yes. Article 28 of the GDPR requires a contract between the controller and the processor, containing mandatory provisions. This contract frames each party's obligations and conditions the compliance of the processing arrangement. Its absence constitutes a breach, exposing both parties to liability in the event of a CNIL audit.
The contract must define the subject matter, duration, nature and purpose of the processing, as well as the categories of data and of data subjects. Any operation not provided for requires written instructions from the controller or a renegotiation. It also frames the possible engagement of other processors.
The processor must act on written instructions, ensure technical security, assist the controller in responding to requests to exercise data subjects' rights, document its compliance, maintain a record on behalf of the controller and use only compliant tools. It must also notify breaches and allow audits.
Yes, but in a controlled manner. The contract must set out the conditions for engaging a sub-processor, which in principle requires the controller's authorisation and the transfer of the same data protection obligations. This processing chain must remain under control in order to preserve overall compliance.
Any processing operation not provided for in the contract requires written instructions from the controller or a renegotiation of the contract. The processor cannot decide alone on new purposes or new uses of the data. This framework protects the controller and strictly delimits the processor's role.
Because Article 28 of the GDPR requires specific provisions and a rigorous organisation of obligations. A lawyer tailors the contract to the actual situation, incorporates all the mandatory provisions and sets up the procedures for evidencing compliance. This secures operations and protects the data processed in the event of an audit.
Still have questions?
Our team is available!
Have a question?

Ressources
Aller plus loin