Drafting A GDPR -Compliant Data Processing Agreement

Service providers often receive or access a customer’s personal information when performing contracted services. In the employment context, service providers may include payroll processors, Human Resource Information System (HRIS) or Applicant Tracking System (ATS) platforms, outsourced IT support, data storage, AI tool providers, or security services.

Under the EU and UK General Data Protection Regulations (GDPR), an employer (data controller) is required to execute a written data processing agreement (DPA) with a service provider (data processor) who will receive or access employee personal data. The DPA is intended to protect the rights of employees and ensure that service providers process their personal data in a compliant manner.

A GDPR DPA must contain a meaningful description of the processing activities (i.e., the subject matter and duration, nature and purpose, categories of personal data, and data subjects) and specific non-negotiable provisions. These mandated provisions include, for example:

• processing solely on the data controller’s documented instructions,
• data breach notification obligations,
• restrictions on sub-processor engagement,
• processor reasonable safeguards,
• authorization for onward transfers of data,
• assistance with data processing impact assessments and data subject access requests,
• deletion or return of data, and
• audit rights.

In addition, if an employer transfers employee personal data from the EU or UK to a service provider in a third country that lacks an “adequacy decision” (e.g., the U.S.) or permits the service provider to access employee personal data in the EU or UK from a third country, the parties must use an appropriate “transfer mechanism”. This may require appending the EU Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreement (IDTA) to the DPA and completing a documented Transfer Impact Assessment.

While a GDPR DPA requires specific provisions, the employer may incorporate additional terms tailored to its interests. Common additions include indemnification provisions and limitations on liability for data-specific risks such as the processor’s material breach of the DPA, violation of applicable data protection law, or a personal data breach. The parties may negotiate the implementation terms for certain mandated provisions, such as the window for breach notification; the scope, frequency, and cost allocation of an audit; the manner for approving sub-processors; or whether personal data will be returned or deleted upon completion of the services. Although the DPA terms must require a processor to implement appropriate security measures to safeguard personal data, the GDPR is not prescriptive about specific measures. As a result, the employer should specify the required technical safeguards, as appropriate to the sensitivity of the employee’s personal data and the processing activity.

Despite containing required provisions, every DPA should be tailored to the specific processing activity, the nature and sensitivity of the personal data, and the employer’s risk exposure. Without this tailoring, a GDPR DPA may be non-compliant or create unnecessary risk for the employer and its personal data. To help manage this risk and prevent delays in the contracting process, employers can prepare and maintain a DPA template that reflects their interests and specific requirements and can be tailored to the processing activity.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.