Any Data Controller that is subject to GDPR, will need to have in place an appropriate Data Processing Agreement with any third party that it shares data with, where that third party is a processor, as defined under GDPR.

GDPR applies to both Controllers and Processors that are established in the EU (e.g. have EU legal entities) but also to any Controller and Processor not located in the EU, where the processing activities are related to either the offering of goods or services to data subjects in the EU.

Many Processors are offering hosted or cloud services, which are not EU located, but which clearly cause the Processor to be caught by GDPR.

Controllers or Processors not established in the EU but where they come under GDPR, must designate in writing and appoint a representative, who must be established in a member state where the data subjects, whose data are being processed by the Controller or Processor, are located (or the majority of them are located).

GDPR is quite specific about the duties of the Controller and the Processor and indeed Article 28 (3) of GDPR states that there must be a contract in writing between the Controller and Processor which clearly sets out the subject matter of the processing and its duration as well as the nature and purposes of processing, the types of personal data and any particular special categories of data and the obligations and rights of both parties.

Failure to have in place a suitable Data Processing Agreement is a breach of the law under GDPR and therefore we strongly advise Controllers that they should now be carrying out an audit of all their existing contracts with Processors to establish if those contracts already comply with GDPR and in addition going forward put in place due diligence requirements in respects of contracts that are going to be entered into, to which GDPR will apply.

Changes in GDPR

This new regulation, the General Data Protection Regulation (GDPR), which came into force on 25th May 2018, acts to strengthen the core values of the 1995 Data Protection Directive with additional principles and rights. The two overarching principles of...