Skip to content
LegalVision

Do I Need a Data Processing Agreement Under The GDPR?

Jacqueline Gibson

By Jacqueline Gibson
Senior Lawyer

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Summarise with: ChatGPT logo ChatGPT Claude logo Claude Perplexity logo Perplexity Microsoft Copilot logo Microsoft Copilot
Table of Contents

The introduction of the General Data Protection Regulation (GDPR) has caused a lot of confusion. The GDPR is key to privacy law within the European Union (EU) but will also apply to some Australian businesses. If the GDPR applies to your business, you need to know when you will need a data processing agreement. This article will explain whether the GDPR will apply to your company and whether you need a data processing agreement.

Does the GDPR Apply to You?

Before understanding what a data processing agreement is, you will need to know if the GDPR applies to you. The GDPR will apply to you if you:

  • have a physical business presence in the EU; 
  • target your products or services to people in the EU (for example, by selling in Euros or offering your services); or
  • monitor the purchasing behaviour of residents of the EU.

Are You a Controller or Processor?

Under the GDPR, you are categorised by the type of data processing that your business carries out. You will either be characterised as a:

  • controller; or 
  • processor.

If the GDPR applies to you, you need to know whether you are a controller or a processor. This is also important as it will affect your obligations under a data processing agreement.

A controller is a business that decides which personal data to collect and then uses that personal data. 

For example, if you are a florist and you collect the names and contact details of your customers, you are a controller.

A processor is a business which processes personal data on behalf of another business. 

For example, if you are the delivery company that delivers flowers to the florist’s customers, you are a data processor. This is because you do not have a direct link to the customer. Instead, you only have access to the customers’ personal data because of the florist.

Your business could be both a controller and processor depending on the type of data you deal with. Using the example of the delivery driver, you may be the controller of a personal contact number of an employee at the florist. As such, you would be a controller of that information and a processor of the customer information.

What is the Relationship Between Controllers and Processors?

Data controllers and data processors need to work closely together and share information. The relationship between a data controller and a data processor should be based on trust.

The GDPR sets out specific promises which a data processor must make to a data controller. It also requires the data processor to take particular actions. 

A processor must only use personal data from a controller with the controller’s permission. 

For example, if you are the delivery driver and the florist’s customer asks you to erase their personal data, you must first tell the florist.

What is a Data Processing Agreement?

A data processing agreement is the contract between the controller and the processor. This agreement will explain the data handling rules within their relationship, including:

  • what the processor and the controller will provide to each other; and 
  • who has legal responsibility for the data.

The document must clearly outline the legal relationship between the controller and processor and any key requirements under the law.

For example, a processor must allow the controller to audit their business to check they are correctly complying with the GDPR. A data processing agreement will explain details like: 

  • the rules on how a controller can ask to audit the processor;
  • how often audits can occur; and 
  • how the audit will be completed.

This helps to ensure that the controller and the processor agree on daily procedures.

Data Processing Agreements for Controllers

If you are a controller, you will need a data processing agreement to ensure the processor is legally obligated to assist with your legal obligations.

A data processor may already have their own data processing agreement prepared. This may be in a separate document, or it will be incorporated in their terms of service.

If a data processor has their own data processing agreement, you should read it carefully and check that it meets your requirements. If you need the processor’s assistance to comply with the GDPR later down the line, you will be limited to what is outlined within the data processing agreement.

Data Processing Agreements for Processors

If you are a processor, it is best to draft your own data processing agreement. This is because a data processing agreement will set out the steps you must take to assist the controller. 

As you will have the most responsibilities in the relationship, you will want to limit these steps to what you are able to practically take on. Therefore, your risk of finding yourself in trouble for not completing certain actions will be minimised.

Key Takeaways

If the GDPR applies to you, you will need to figure out whether you are a controller or a processor. Knowing which category you fall into will impact your responsibilities under a data processing agreement. If you are a data controller, having a data processing agreement in place will outline how processors can handle the data you provide them. As a data processor, you should prepare your own agreement for the controller so you can limit your legal responsibility over the data. 

For more information on your business obligations, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Jacqueline Gibson

Jacqueline Gibson

Read all articles by Jacqueline

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

EU Visitors Access My Website: Do I Need to Comply with the GDPR?

Differences Between the EU General Data Protection Regulation (GDPR) and the Australian Privacy Principles (APPs)

Can I Collect and Use My Employees’ Personal Information?

How Should I Respond to a Data Breach?

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards