Data processing contract


It should be made clear up front that contracts are an area where specific legal advice should be sought. The detail given below gives an insight into the requirement stated within the GDPR. It will also be useful as a starting point to check the status of your current contracts.


In any instance where your organisation is processing personal data, check the contractual arrangements that are in place. Pay particular attention to where information is passed such as partners, suppliers, software and cloud services as these are not always overt.

How to:

The required contractual elements are quite extensive. The list below indicates the required areas and will serve as a basis for your checks:

  • Confidentiality of processing
  • Responsibilities around data breach
  • Requirements for Data Protection Impact Assessments
  • How data will be erased or recovered
  • Infringement
  • Measures to be implemented and how they will be tested
  • Details of any onward processing
  • Availability of audits/reports
  • Details of data transfers
  • Technical measures such as encryptions and provisions for data accuracy

The existence of the above areas in themselves does not prove compliance with the regulation. If you have any doubt you should seek legal advice on the content/suitability of your contractual position.


  • GDPR Recitals: 32, 43, 60, 61, 63, 68, 81, 109,
  • GDPR Articles: 7, 13, 28, 29, 32

How Gydeline helps

We, at Gydeline, help small and medium sized organisations save money and time by building systems, processes and policies that simplify their business and support their sustainability aims.  We do this with a range of services.

If you would like to discuss any aspects of dealing with this and other risks in your business we are always happy to offer some, free, no obligation assistance – just contact us.

Related Posts