Contratos de encargado de tratamiento y revision RGPD

Data processing agreements should not be signed once and forgotten. Although many contracts were adapted to the GDPR years ago, companies should review them whenever providers, services, subprocessors, security measures, international transfers or processing activities change.

The goal is not to comply with a past deadline, but to keep the legal framework between controller and processor up to date. An old, generic or inconsistent agreement may create risks during audits, security breaches, AEPD inspections or customer claims.

What is a data processing agreement?

A data processing agreement regulates the relationship between the party deciding the purposes and means of processing —the controller— and the party processing personal data on its behalf —the processor. It is mandatory where a provider accesses personal data to deliver a service.

The minimum content is set out in Article 28 GDPR and complemented by the Spanish Data Protection Act. You can also read our main guide on data processing agreements under the GDPR.

When should a data processing agreement be updated?

The agreement should be reviewed and updated when any of these situations occur:

  • A new provider accesses personal data.
  • The provider changes the service or starts processing new data.
  • Subprocessors or external tools are added.
  • International transfers or data locations change.
  • Security measures, hosting, support or maintenance change.
  • A security breach or relevant incident occurs.
  • The contract uses pre-GDPR or overly generic clauses.
  • The company changes its activity, systems or categories of data subjects.

What should an updated agreement include?

An updated agreement should describe the subject matter, duration, nature and purpose of processing; categories of data; types of data subjects; controller instructions; confidentiality; security measures; subprocessors; assistance with rights; cooperation in breaches and what happens to data when the service ends.

It should also explain how instructions, audits, compliance evidence and communications between the parties are documented. The more critical the service, the more detailed the agreement should be.

Common mistakes

  • Using generic templates that do not match the real service.
  • Misidentifying controller and processor roles.
  • Forgetting subprocessors, hosting or cloud tools.
  • Failing to regulate security breach assistance.
  • Not defining what happens to data when the contract ends.
  • Not reviewing international transfers.
  • Not keeping evidence of acceptance and validity.

How to perform a practical review

The most efficient method is to compare the provider inventory with the record of processing activities. For each provider, the company should check whether it accesses personal data, what service it provides, what data it processes, where data is hosted, whether subprocessors exist and which agreement is signed.

Then, higher-risk providers should be prioritised: management software, hosting, advisers, IT maintenance, marketing platforms, HR tools, cloud services and any provider with access to sensitive data or large volumes of information.

Frequently asked questions

Are pre-GDPR agreements still valid?

They may be insufficient if they do not include Article 28 GDPR requirements. They should be reviewed and updated when they do not reflect the real service or current obligations.

Is an agreement needed with every provider?

Only where the provider processes personal data on behalf of the company. If it does not access personal data, a processor agreement may not be necessary, although the assessment should be documented.

What if the provider uses subprocessors?

They must be authorised under the agreement and equivalent safeguards must exist. The controller should know or be able to control that subcontracting chain.

How often should these contracts be reviewed?

There is no single frequency, but they should be reviewed in periodic audits and whenever the service, provider, processing or risk changes.

Conclusion

Updating data processing agreements is a basic GDPR compliance measure. It is not just about signing documents, but ensuring that each provider processes data under instructions, with safeguards and clear responsibilities.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *