Under the General Data Protection Regulation, processing contracts between data controllers and data processors need a certain minimum content. This file has an overview and some implementation recommendations.

1. info@caneghem.be +32 495 58 54 45
Scheme for the amendment or drafting of
processing contracts to comply with the
General Data Protection Regulation (GDPR)
November 2017

2. info@caneghem.be +32 495 58 54 45
The General Data Protection Regulation of April 27, 2016, requires a written
processing contract (or other legal act) between data controllers and data
processors.
The GDPR also regulates the minimum content of the processing contracts.
Below follows an overview of the requirements of the GDPR for the content of
the processing contracts with a reference to the specific provisions of the
regulation and a suggested practical drafting approach.
Article
Text of the GDPR article and a recommended drafting approach
28.1 «The controller shall use only processors providing sufficient guarantees to implement
appropriate technical and organisational measures in such a manner that processing will
meet the requirements of this Regulation and ensure the protection of the rights of the
data subject.»
" Document the technical and organizational capabilities of the Processor, either
through referring to a standard obtained by processor (è art. 28.5: adherence to an
approved code of conduct or an approved certification mechanism may be used to
demonstrate sufficient guarantees) or to a schedule that documents those
capabilities.
" Make the maintenance of these standards a condition for the (continuation) of the
contract.
28.2 «The processor shall not engage another processor without prior specific or general
written authorisation of the controller. In the case of general written authorisation, the
processor shall inform the controller of any intended changes concerning the addition or
replacement of other processors, thereby giving the controller the opportunity to object to
such changes.»
" Provide a general written authorization in the contract and specify that processor will
need to inform controller of any changes in sub-processors to which controller will
have the opportunity to object;
" alternatively, provide that a specific authorisation will be needed.
28.3 «Processing by a processor shall be governed by a contract or other legal act under
Union or Member State law, that is binding on the processor with regard to the controller
and that sets out the subject-matter and duration of the processing, the nature and
purpose of the processing, the type of personal data and categories of data subjects and
the obligations and rights of the controller.»

3. info@caneghem.be +32 495 58 54 45
" Provide a reference to a schedule that contains (a) the subject matter of the
processing; (b) the nature and the purpose of the processing; (c) the type of personal
data and categories of data subjects.
" Prepare and attach the schedule;
" Reserve to the controller the right to change the schedule within certain conditions
or/and spell out the consequences if parties do not agree on changes to the
schedule.
" Specify the obligations and rights of the controller in the contract.
" Insert a clause that sets the duration;
" Insert a clause that spells out the termination rights and conditions and the
consequences of termination.
28.3
(a)
«That contract or other legal act shall stipulate, in particular, that the processor:
(a) processes the personal data only on documented instructions from the controller,
including with regard to transfers of personal data to a third country or an international
organization, unless required to do so by Union or Member State law to which the
processor is subject; and that, in such a case, the processor shall inform the controller of
that legal requirement before processing, unless that law prohibits such information on
important grounds of public interest»
" Insert a clause to that borrows the language of art. 28.3 (a).
28.3
(b)
«That contract or other legal act shall stipulate, in particular, that the processor: (b)
ensures that persons authorised to process the personal data have committed
themselves to confidentiality or are under an appropriate statutory obligation of
confidentiality»
" Provide a default confidentiality clause or standard in the contract to be used by the
processor in the relation with its personnel or contractors and/or make a reference
to the applicable appropriate statutory obligation of confidentiality.
28.3
(c)
« That contract or other legal act shall stipulate, in particular, that the processor: (c) takes
all measures required pursuant to Article 32*»
" List the measures of art. 32 that are deemed appropriate either in the contract or in a
schedule to the contract (see: * below).
" List the measures of art. 32 that are not deemed appropriate and document why.
This documentation is to be included in a schedule to the contract and in the
compliance documentation of each party.
" Insert a clause in the contract that provides for flexibility in case of changing
circumstances.»
28.3
(d)
« That contract or other legal act shall stipulate, in particular, that the processor: (d)
respects the conditions referred to in paragraphs 2 and 4 for engaging another
processor»
" Provide that the processor shall respect the conditions of 28.2 and of 28.4 for
appointing a sub-processor.
" Provide that the processor shall pass on all its obligations to a sub-processor, in
particular the obligations to take appropriate technical and organisational measures
so that processing meets the requirements of the Regulation and ensures the

4. info@caneghem.be +32 495 58 54 45
protection of the rights of the data subject (art. 28.1) and the obligations from the
article 28.3, while remaining liable for the sub-processor.
28.3
(e)
«That contract or other legal act shall stipulate, in particular, that the processor: (e)
taking into account the nature of the processing, assists the controller with appropriate
technical and organisational measures, insofar as this is possible, for the fulfilment of the
controller's obligation to respond to requests for exercising the data subject's rights laid
down in Chapter III»
" Specify this obligation in the contract, if possible at a reasonable level of practical
detail.
28.3
(f)
« That contract or other legal act shall stipulate, in particular, that the processor: (f)
assists the controller in ensuring compliance with the obligations pursuant to articles 32
to 36 taking into account the nature of processing and the information available to the
processor»
Provide sections in the contract that oblige the processor to assist controller:
" in keeping personal data secure (art. 32);
" in notifying personal data breaches to the supervisory authority (art. 33);
" in advising data subjects when there has been a personal data breach (art. 34);
" in carrying out data protection impact assessments (art. 35);
" in consulting with the supervisory authority when there is high risk (art. 36).
28.3
(g)
« That contract or other legal act shall stipulate, in particular, that the processor: (g) at
the choice of the controller, deletes or returns all the personal data to the controller
after the end of the provision of services relating to processing, and deletes existing
copies unless Union or Member State law requires storage of the personal data»
" Provide this obligation at a reasonable level of practical detail (delays, records to be kept to
demonstrate compliance…).
28.3
(h)
« That contract or other legal act shall stipulate, in particular, that the processor: (h)
makes available to the controller all information necessary to demonstrate compliance
with the obligations laid down in this article and allow for and contribute to audits,
including inspections, conducted by the controller or another auditor mandated by the
controller»
" Provide a section in the contract or a separate annex that specifies this
obligation, in particular the audit conditions, at a reasonable level of
practical detail.
" State this obligation in the contract.
28.3
(h)(2)
«With regard to point (h), the processor shall immediately inform the controller if, in its
opinion, an instruction infringes this Regulation or other Union or Member State data
protection provisions.»

5. info@caneghem.be +32 495 58 54 45
" Include this as an obligation for the processor in the contract.
* Art. 32
Information
Extract
«Taking into account the state of the art, the costs of implementation and the
nature, scope, context and purposes of processing as well as the risk of varying
likelihood and severity for the rights and freedoms of natural persons, the controller
and the processor shall implement appropriate technical and organisational
measures to ensure a level of security appropriate to the risk, including inter alia as
appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and
resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely
manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of
technical and organisational measures for ensuring the security of the processing. »