Practical Guide to Data Processing Agreements (GDPR)

Start by confirming who is the controller and who is the processor for each workflow. Under GDPR Articles 4 and 28, a Data Processing Agreement (DPA) is mandatory whenever a processor handles personal data for a controller. Your DPA should specify scope, duration, purpose, data categories, and data subject types, plus each party's obligations and rights. Map data flows and systems before drafting, so the annexes are accurate. LegalDocs.ai can generate role-specific DPAs from your inputs and flag gaps across vendors and subprocessors.

Article 28(3) lists required clauses: confidentiality, documented instructions, security measures (see GDPR Art 32), sub-processor approval and flow-down, assistance with data subject requests (Arts 12, 15-22), breach notice to the controller without undue delay (Art 33(2)), deletion or return at end of services, and audits. Make these operational: attach a technical and organizational measures annex, define SLA times for requests and breach alerts, and align audit rights with reasonable notice. LegalDocs.ai templates include pre-built annexes you can tailor to your stack.

For cross-border transfers, add the EU Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 and complete a transfer impact assessment per Schrems II. Document supplementary measures where needed (encryption, pseudonymization, access limits). If transferring from the UK, use the IDTA or the UK Addendum to the EU SCCs. Cascade transfer terms to subprocessors and review annually. LegalDocs.ai assembles SCC modules, TIAs, and subprocessor lists from your data map so you can execute and monitor reliably.