The introduction of the General Data Protection Regulation (GDPR) has caused a lot of confusion. The GDPR is key to privacy law within the European Union (EU) but will also apply to some Australian businesses. If the GDPR applies to your business, you need to know when you will need a data processing agreement. This article will explain whether the GDPR will apply to your company and whether you need a data processing agreement.

Does the GDPR Apply to You?

Before understanding what a data processing agreement is, you will need to know if the GDPR applies to you. The GDPR will apply to you if you:

  • have a physical business presence in the EU; 
  • target your products or services to people in the EU (for example, by selling in Euros or offering your services); or
  • monitor the purchasing behaviour of residents of the EU.

Are You a Controller or Processor?

Under the GDPR, you are categorised by the type of data processing that your business carries out. You will either be characterised as a:

  • controller; or 
  • processor.

If the GDPR applies to you, you need to know whether you are a controller or a processor. This is also important as it will affect your obligations under a data processing agreement.

A controller is a business that decides which personal data to collect and then uses that personal data. 

For example, if you are a florist and you collect the names and contact details of your customers, you are a controller.

A processor is a business which processes personal data on behalf of another business. 

For example, if you are the delivery company that delivers flowers to the florist’s customers, you are a data processor. This is because you do not have a direct link to the customer. Instead, you only have access to the customers’ personal data because of the florist.

Your business could be both a controller and processor depending on the type of data you deal with. Using the example of the delivery driver, you may be the controller of a personal contact number of an employee at the florist. As such, you would be a controller of that information and a processor of the customer information.

What is the Relationship Between Controllers and Processors?

Data controllers and data processors need to work closely together and share information. The relationship between a data controller and a data processor should be based on trust.

The GDPR sets out specific promises which a data processor must make to a data controller. It also requires the data processor to take particular actions. 

A processor must only use personal data from a controller with the controller’s permission. 

For example, if you are the delivery driver and the florist’s customer asks you to erase their personal data, you must first tell the florist.

What is a Data Processing Agreement?

A data processing agreement is the contract between the controller and the processor. This agreement will explain the data handling rules within their relationship, including:

  • what the processor and the controller will provide to each other; and 
  • who has legal responsibility for the data.

The document must clearly outline the legal relationship between the controller and processor and any key requirements under the law.

For example, a processor must allow the controller to audit their business to check they are correctly complying with the GDPR. A data processing agreement will explain details like: 

  • the rules on how a controller can ask to audit the processor;
  • how often audits can occur; and 
  • how the audit will be completed.

This helps to ensure that the controller and the processor agree on daily procedures.

Data Processing Agreements for Controllers

If you are a controller, you will need a data processing agreement to ensure the processor is legally obligated to assist with your legal obligations.

A data processor may already have their own data processing agreement prepared. This may be in a separate document, or it will be incorporated in their terms of service.

If a data processor has their own data processing agreement, you should read it carefully and check that it meets your requirements. If you need the processor’s assistance to comply with the GDPR later down the line, you will be limited to what is outlined within the data processing agreement.

Data Processing Agreements for Processors

If you are a processor, it is best to draft your own data processing agreement. This is because a data processing agreement will set out the steps you must take to assist the controller. 

As you will have the most responsibilities in the relationship, you will want to limit these steps to what you are able to practically take on. Therefore, your risk of finding yourself in trouble for not completing certain actions will be minimised.

Key Takeaways

If the GDPR applies to you, you will need to figure out whether you are a controller or a processor. Knowing which category you fall into will impact your responsibilities under a data processing agreement. If you are a data controller, having a data processing agreement in place will outline how processors can handle the data you provide them. As a data processor, you should prepare your own agreement for the controller so you can limit your legal responsibility over the data. If you have any questions about whether you need a data processing agreement, contact LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.
Jacqueline Gibson

Get a Free Quote Now

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • We will be in touch shortly with a quote. By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.

Our Awards

  •  Top 20 Startups in Australia - 2018 LinkedIn Startups List Top 20 Startups in Australia - 2018 LinkedIn Startups List
  • NewLaw Firm of the Year – 2019 Australian Law Awards NewLaw Firm of the Year – 2019 Australian Law Awards
  • Law Firm of the Year Finalist – 2018 Australasian Law Awards Law Firm of the Year Finalist – 2018 Australasian Law Awards
  • AFR Fast 100 List – 2018 Australian Financial Review AFR Fast 100 List – 2018 Australian Financial Review
  • NewLaw Firm of the Year – 2017 Australian Law Awards NewLaw Firm of the Year – 2017 Australian Law Awards
  • Most Innovative Law Firm - 2019 Australasian Lawyer Most Innovative Law Firm - 2019 Australasian Lawyer

Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at info@legalvision.com.au

View Privacy Policy