EDPB’s New Update On Data Processing Agreements

The European Data Protection Board (EDPB) has issued earlier this month an opinion on the standard contractual clauses in compliance with Article 28 GDPR, containing some important insights and commentaries on provisions of data processing agreements, which define the controller-processor relations.

Among others, the EDPB determined that while the data processing agreement (DPA) must contain a general part of provisions, the DPA must also contain a specific part that has to be completed by the parties with regard to the specific processing which the agreement seeks to govern, with respect to the commercial engagement between the parties.

Agreements which merely restate the provisions of Article 28 are inadequate to comply with the GDPR.

In addition, the EDPB has elaborated on certain provisions with respect to controllers’ rights in controlling the processing, processors obligations, the use of sub-contractors, cross-border transfers, inspection and audit, implementing data subject rights, etc.

For further reading press here. If you have any further questions about this opinion or if your templates needs any amendment, please contact Adv. Lior Etgar, head of the Data Protection and Privacy Practice of our firm.