What is a data protection contract?
The GDPR has increased the obligations for both controllers and processors. One obligation is to enter into a legally binding contract governing the processing of personal data when a processor (principal or agent) is commissioned to process personal data as instructed by the controller (client).
The data protection contract specifies the rights and obligations of the controller and the processor as well as sub-processors, if applicable. In this way, it is easier to meet the accountability and joint-liability requirements of the GDPR.
The agreement for processing on behalf of a controller ensures that all parties involved properly process personal data; it establishes the primary requirements for the processor to adhere to prior to processing data on behalf of the controller. Thus, among other stipulations, the contract guarantees that the processor only processes the data entrusted to him/her for the purposes for which the controller collected the data. Above all, the processor is obligated to protect the data to an adequate extent. In order to ensure that this level of data protection is actually provided by the processor, the controller is granted comprehensive supervisory rights in the contract.
The data protection agreement has to be adapted to the respective processors and his/her functions. An important component of the contract is an appendix that details the technical and organizational measures with which the processor guarantees the data protection and information security of the data provided.