RGPD

How to draft a GDPR data processing agreement with an IT service provider

The GDPR adds obligations for GDPR processors that are IT service providers and for controllers. These rules raise awareness of responsibilities in data processing arrangements. Processors are developing standard contractual clauses to comply with them.

Contents
Schedule a discussion

Reading time:

2 min

The GDPR adds obligations for GDPR processors that are IT service providers and for controllers. These rules raise awareness of responsibilities in data processing arrangements. Processors are developing standard contractual clauses to comply with them.

Understanding GDPR processing carried out by an IT service provider

The GDPR treats as a processor any entity processing data on behalf of another. This includes "turnkey" solutions that handle personal data.

For example, a web agency accesses the personal data of its professional clients' own customers. This service provider must follow the controller's instructions. It must also comply with the obligations set out in Articles 4.7, 4.8 and 28.10 of the GDPR.

Indeed, if the processor uses this data for its own purposes, it then becomes a controller.

Why is a clear GDPR contract essential?

The parties must draft a contract including the provisions of Article 28 of the GDPR. This may, for instance, be a GDPR lawyer who will set out the parties' obligations in a legal document. They will incorporate the required provisions and ensure their implementation.

Defining and framing the processing of data

Your GDPR contract must detail the subject matter, duration, nature and purpose of the processing. It must also specify the categories of data and the data subjects concerned.

Indeed, any processing not provided for requires written instructions or a renegotiation of the contract.

Consequently, this contract also facilitates the engagement of other processors.

Ensuring secure GDPR processing with the help of a lawyer

The help of a lawyer is crucial to guarantee data security. Procedures document compliance with the GDPR. They ensure the use of compliant tools and technical security. They also ensure assistance with requests from data subjects.

GDPR processing by an IT service provider must follow these obligations scrupulously.

Navigating the GDPR can be complex, and the CNIL oversees it. Working with a specialised lawyer will secure your operations. This will help you comply with the regulation and protect personal data.

For any further questions or assistance in drafting your GDPR data processing agreement in the context of an IT service provider, please contact me.

To learn more

When is an IT service provider a GDPR processor?

As soon as it processes personal data on behalf of a client, in accordance with that client's instructions. A web agency that accesses the data of its professional clients' own customers is a processor. This also includes turnkey solutions handling personal data. This status triggers the obligations of Articles 4 and 28 of the GDPR.

Can the service provider become a controller?

Yes. If the service provider uses the data for its own purposes, beyond the client's instructions, it becomes a controller for that specific processing. The characterisation therefore depends on the actual use of the data. This shift entails different obligations and must be clearly identified to avoid any confusion.

Why is a clear GDPR contract with your service provider essential?

Because Article 28 of the GDPR requires a contract containing mandatory provisions between the controller and the processor. This contract sets out each party's obligations, incorporates the required provisions and ensures their implementation. It is a precondition for the compliance of the relationship and protects both parties in the event of a CNIL inspection.

What must the contract specify regarding the processing of data?

The contract must detail the subject matter, duration, nature and purpose of the processing, as well as the categories of data and the data subjects concerned. Any processing not provided for requires written instructions or a renegotiation. The contract also governs the engagement of other processors by the IT service provider.

How can GDPR processing with a service provider be secured?

By putting in place procedures documenting compliance with the GDPR: compliant tools, technical security, assistance with requests to exercise rights, written instructions, and keeping a record on behalf of the controller. The support of a lawyer makes it possible to structure these obligations and guarantee their effectiveness.

Does the CNIL inspect IT data processing arrangements?

Yes. The CNIL may inspect the compliance of processing arrangements, verify the existence of an Article 28 contract and check compliance with security and documentation obligations. A processor or a controller whose processing chain is not compliant is exposed to enforcement measures and sanctions.

What security obligations apply to the processor?

The processor must guarantee a level of technical security appropriate to the risk, use tools compliant with the GDPR, document its measures and be able to demonstrate them at any time. It also helps the controller respond to requests from data subjects and manage data breaches. These obligations must be set out in the contract.

Who drafts the GDPR data processing agreement?

A lawyer specialising in the GDPR is best placed to set out the parties' obligations, incorporate the provisions of Article 28 and ensure their implementation. They tailor the contract to the reality of the IT service and secure operations, in order to protect both the controller and the processor.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

11 min

Franchisor vs. Franchisee: how to resolve disputes without going to court?
Franchisor vs. franchisee: moments of harmony and periods of tension. Explore alternative dispute resolution methods.

15 min

Bilingual GTC: how to secure your export sales in 2026?
Expanding internationally opens up major opportunities for French micro-businesses, SMEs and online retailers, but it also exposes them to legal risks that are far greater than on the domestic market. Differences between legal systems, language barriers, customs complexity, instabi

6 min

Pornographic websites blocked for minors: what new rules apply in April 2025?
In a context where minors' access to pornography and pornographic websites has become a leading societal concern, the recent blocking rules introduced by the French audiovisual and digital regulatory authority (ARCOM) reflect a strong determination to protect this vul

12 min

IT subcontracting and the digital supply chain: the essential contractual clauses
IT subcontracting has become an essential component of corporate strategies, offering flexibility and cost optimisation.

6 min

Service level in a consumer contract
In our increasingly digital world, the contractual service level and software updates have become essential aspects of consumption.

6 min

Administrative Transparency and the GDPR: What Are the Stakes for Public Institutions?
In the HDPA (Greece) - 13/2025 case, crucial questions are raised regarding the right of access to personal data within public institutions. Under the GDPR, every individual has the right to consult their personal information, which is essential to maintaining the co
Prendre rendez-vous
Book an appointment