Reading time: 5 minutes

The introduction of the General Data Protection Regulation (GDPR) has caused a lot of confusion. The GDPR is key to privacy law within the European Union (EU) but will also apply to some Australian businesses. If the GDPR applies to your business, you need to know when you will need a data processing agreement. This article will explain whether the GDPR will apply to your company and whether you need a data processing agreement.

Does the GDPR Apply to You?

Before understanding what a data processing agreement is, you will need to know if the GDPR applies to you. The GDPR will apply to you if you:

  • have a physical business presence in the EU; 
  • target your products or services to people in the EU (for example, by selling in Euros or offering your services); or
  • monitor the purchasing behaviour of residents of the EU.

Are You a Controller or Processor?

Under the GDPR, you are categorised by the type of data processing that your business carries out. You will either be characterised as a:

  • controller; or 
  • processor.

If the GDPR applies to you, you need to know whether you are a controller or a processor. This is also important as it will affect your obligations under a data processing agreement.

A controller is a business that decides which personal data to collect and then uses that personal data. 

For example, if you are a florist and you collect the names and contact details of your customers, you are a controller.

A processor is a business which processes personal data on behalf of another business. 

For example, if you are the delivery company that delivers flowers to the florist’s customers, you are a data processor. This is because you do not have a direct link to the customer. Instead, you only have access to the customers’ personal data because of the florist.

Your business could be both a controller and processor depending on the type of data you deal with. Using the example of the delivery driver, you may be the controller of a personal contact number of an employee at the florist. As such, you would be a controller of that information and a processor of the customer information.

What is the Relationship Between Controllers and Processors?

Data controllers and data processors need to work closely together and share information. The relationship between a data controller and a data processor should be based on trust.

The GDPR sets out specific promises which a data processor must make to a data controller. It also requires the data processor to take particular actions. 

A processor must only use personal data from a controller with the controller’s permission. 

For example, if you are the delivery driver and the florist’s customer asks you to erase their personal data, you must first tell the florist.

What is a Data Processing Agreement?

A data processing agreement is the contract between the controller and the processor. This agreement will explain the data handling rules within their relationship, including:

  • what the processor and the controller will provide to each other; and 
  • who has legal responsibility for the data.

The document must clearly outline the legal relationship between the controller and processor and any key requirements under the law.

For example, a processor must allow the controller to audit their business to check they are correctly complying with the GDPR. A data processing agreement will explain details like: 

  • the rules on how a controller can ask to audit the processor;
  • how often audits can occur; and 
  • how the audit will be completed.

This helps to ensure that the controller and the processor agree on daily procedures.

Data Processing Agreements for Controllers

If you are a controller, you will need a data processing agreement to ensure the processor is legally obligated to assist with your legal obligations.

A data processor may already have their own data processing agreement prepared. This may be in a separate document, or it will be incorporated in their terms of service.

If a data processor has their own data processing agreement, you should read it carefully and check that it meets your requirements. If you need the processor’s assistance to comply with the GDPR later down the line, you will be limited to what is outlined within the data processing agreement.

Data Processing Agreements for Processors

If you are a processor, it is best to draft your own data processing agreement. This is because a data processing agreement will set out the steps you must take to assist the controller. 

As you will have the most responsibilities in the relationship, you will want to limit these steps to what you are able to practically take on. Therefore, your risk of finding yourself in trouble for not completing certain actions will be minimised.

Key Takeaways

If the GDPR applies to you, you will need to figure out whether you are a controller or a processor. Knowing which category you fall into will impact your responsibilities under a data processing agreement. If you are a data controller, having a data processing agreement in place will outline how processors can handle the data you provide them. As a data processor, you should prepare your own agreement for the controller so you can limit your legal responsibility over the data. If you have any questions about whether you need a data processing agreement, contact LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.


Key Considerations When Buying a Business

Thursday 11 November | 11:00 - 11:45am

Learn which questions to ask when buying a business to avoid legal and operational pitfalls, so you can hit the ground running. Join our free webinar.
Register Now

Innovation Nation: How to Make the Most of Australia’s Business Innovation and Investor Visas

Thursday 18 November | 11:00 - 11:45am

Want to expand your business into Australia? You need the right visa. Register for our free webinar to learn more.
Register Now

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards

  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2019 Most Innovative Firm - Australasian Lawyer