Establishing Data Processing Agreements

Overview

Article 28(3) requires that processing by a processor is governed by a contract or other legal act that is binding on the processor and sets out specific mandatory elements. This skill details all eight mandatory clauses, provides a compliance checklist, and references the 2021 EU Standard Contractual Clauses for controller-to-processor transfers.

Art. 28(3) Mandatory Elements

Element 1: Subject-Matter and Duration

The DPA must specify the subject-matter of the processing (what processing is being carried out), the duration (aligned with the service contract term), the nature of the processing (collection, storage, analysis, deletion), and the purpose of the processing.

Element 2: Type of Personal Data

The DPA must list the specific categories of personal data being processed (names, email addresses, financial data, health data, etc.).

Element 3: Categories of Data Subjects

The DPA must identify which data subjects are affected (employees, customers, website visitors, patients, etc.).

Element 4: Obligations and Rights of the Controller

The DPA must set out the controller's documented instructions to the processor, covering what the processor is authorised to do with the data.