RGPD
The GDPR adds obligations for GDPR processors that are IT service providers and for controllers. These rules raise awareness of responsibilities in data processing arrangements. Processors are developing standard contractual clauses to comply with them.
Reading time:
2 min
The GDPR adds obligations for GDPR processors that are IT service providers and for controllers. These rules raise awareness of responsibilities in data processing arrangements. Processors are developing standard contractual clauses to comply with them.
The GDPR treats as a processor any entity processing data on behalf of another. This includes "turnkey" solutions that handle personal data.
For example, a web agency accesses the personal data of its professional clients' own customers. This service provider must follow the controller's instructions. It must also comply with the obligations set out in Articles 4.7, 4.8 and 28.10 of the GDPR.
Indeed, if the processor uses this data for its own purposes, it then becomes a controller.
The parties must draft a contract including the provisions of Article 28 of the GDPR. This may, for instance, be a GDPR lawyer who will set out the parties' obligations in a legal document. They will incorporate the required provisions and ensure their implementation.
Your GDPR contract must detail the subject matter, duration, nature and purpose of the processing. It must also specify the categories of data and the data subjects concerned.
Indeed, any processing not provided for requires written instructions or a renegotiation of the contract.
Consequently, this contract also facilitates the engagement of other processors.
The help of a lawyer is crucial to guarantee data security. Procedures document compliance with the GDPR. They ensure the use of compliant tools and technical security. They also ensure assistance with requests from data subjects.
GDPR processing by an IT service provider must follow these obligations scrupulously.
Navigating the GDPR can be complex, and the CNIL oversees it. Working with a specialised lawyer will secure your operations. This will help you comply with the regulation and protect personal data.
For any further questions or assistance in drafting your GDPR data processing agreement in the context of an IT service provider, please contact me.
To learn more
As soon as it processes personal data on behalf of a client, in accordance with that client's instructions. A web agency that accesses the data of its professional clients' own customers is a processor. This also includes turnkey solutions handling personal data. This status triggers the obligations of Articles 4 and 28 of the GDPR.
Yes. If the service provider uses the data for its own purposes, beyond the client's instructions, it becomes a controller for that specific processing. The characterisation therefore depends on the actual use of the data. This shift entails different obligations and must be clearly identified to avoid any confusion.
Because Article 28 of the GDPR requires a contract containing mandatory provisions between the controller and the processor. This contract sets out each party's obligations, incorporates the required provisions and ensures their implementation. It is a precondition for the compliance of the relationship and protects both parties in the event of a CNIL inspection.
The contract must detail the subject matter, duration, nature and purpose of the processing, as well as the categories of data and the data subjects concerned. Any processing not provided for requires written instructions or a renegotiation. The contract also governs the engagement of other processors by the IT service provider.
By putting in place procedures documenting compliance with the GDPR: compliant tools, technical security, assistance with requests to exercise rights, written instructions, and keeping a record on behalf of the controller. The support of a lawyer makes it possible to structure these obligations and guarantee their effectiveness.
Yes. The CNIL may inspect the compliance of processing arrangements, verify the existence of an Article 28 contract and check compliance with security and documentation obligations. A processor or a controller whose processing chain is not compliant is exposed to enforcement measures and sanctions.
The processor must guarantee a level of technical security appropriate to the risk, use tools compliant with the GDPR, document its measures and be able to demonstrate them at any time. It also helps the controller respond to requests from data subjects and manage data breaches. These obligations must be set out in the contract.
A lawyer specialising in the GDPR is best placed to set out the parties' obligations, incorporate the provisions of Article 28 and ensure their implementation. They tailor the contract to the reality of the IT service and secure operations, in order to protect both the controller and the processor.
Still have questions?
Our team is available!
Have a question?

Ressources
Aller plus loin