Data processing Contract

The obligation to conclude a data processing contract is based on Article 28/3 of the GDPR:

“Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”

Typically, your company will be act as the “controller” and a 3rd party company will act as the “processor” in the sense of the GDPR. For example, you may store data on 3rd party computer systems, or you may have a contract with a software vendor for a cloud solution or for web hosting. In exceptional cases, you will also store and process data for your customers on their behalf. In this case, the roles would be reversed and your company is acting as processor and your client as controller. In both cases you have to conclude a data processing contract.

With the attached template we provide you an example in English language which considers the minimum content of such an agreement according to Article 28/3 of the GDPR. To consider your national legislation it is highly recommended to use a proved local version of a data processing contract.

Sample of „Data processing agreement   (.docx)