Reading time: 5 minutes

The introduction of the General Data Protection Regulation (GDPR) has caused a lot of confusion. The GDPR is key to privacy law within the European Union (EU) but will also apply to some Australian businesses. If the GDPR applies to your business, you need to know when you will need a data processing agreement. This article will explain whether the GDPR will apply to your company and whether you need a data processing agreement.

Does the GDPR Apply to You?

Before understanding what a data processing agreement is, you will need to know if the GDPR applies to you. The GDPR will apply to you if you:

  • have a physical business presence in the EU; 
  • target your products or services to people in the EU (for example, by selling in Euros or offering your services); or
  • monitor the purchasing behaviour of residents of the EU.

Are You a Controller or Processor?

Under the GDPR, you are categorised by the type of data processing that your business carries out. You will either be characterised as a:

  • controller; or 
  • processor.

If the GDPR applies to you, you need to know whether you are a controller or a processor. This is also important as it will affect your obligations under a data processing agreement.

A controller is a business that decides which personal data to collect and then uses that personal data. 

For example, if you are a florist and you collect the names and contact details of your customers, you are a controller.

A processor is a business which processes personal data on behalf of another business. 

For example, if you are the delivery company that delivers flowers to the florist’s customers, you are a data processor. This is because you do not have a direct link to the customer. Instead, you only have access to the customers’ personal data because of the florist.

Your business could be both a controller and processor depending on the type of data you deal with. Using the example of the delivery driver, you may be the controller of a personal contact number of an employee at the florist. As such, you would be a controller of that information and a processor of the customer information.

What is the Relationship Between Controllers and Processors?

Data controllers and data processors need to work closely together and share information. The relationship between a data controller and a data processor should be based on trust.

The GDPR sets out specific promises which a data processor must make to a data controller. It also requires the data processor to take particular actions. 

A processor must only use personal data from a controller with the controller’s permission. 

For example, if you are the delivery driver and the florist’s customer asks you to erase their personal data, you must first tell the florist.

What is a Data Processing Agreement?

A data processing agreement is the contract between the controller and the processor. This agreement will explain the data handling rules within their relationship, including:

  • what the processor and the controller will provide to each other; and 
  • who has legal responsibility for the data.

The document must clearly outline the legal relationship between the controller and processor and any key requirements under the law.

For example, a processor must allow the controller to audit their business to check they are correctly complying with the GDPR. A data processing agreement will explain details like: 

  • the rules on how a controller can ask to audit the processor;
  • how often audits can occur; and 
  • how the audit will be completed.

This helps to ensure that the controller and the processor agree on daily procedures.

Data Processing Agreements for Controllers

If you are a controller, you will need a data processing agreement to ensure the processor is legally obligated to assist with your legal obligations.

A data processor may already have their own data processing agreement prepared. This may be in a separate document, or it will be incorporated in their terms of service.

If a data processor has their own data processing agreement, you should read it carefully and check that it meets your requirements. If you need the processor’s assistance to comply with the GDPR later down the line, you will be limited to what is outlined within the data processing agreement.

Data Processing Agreements for Processors

If you are a processor, it is best to draft your own data processing agreement. This is because a data processing agreement will set out the steps you must take to assist the controller. 

As you will have the most responsibilities in the relationship, you will want to limit these steps to what you are able to practically take on. Therefore, your risk of finding yourself in trouble for not completing certain actions will be minimised.

Key Takeaways

If the GDPR applies to you, you will need to figure out whether you are a controller or a processor. Knowing which category you fall into will impact your responsibilities under a data processing agreement. If you are a data controller, having a data processing agreement in place will outline how processors can handle the data you provide them. As a data processor, you should prepare your own agreement for the controller so you can limit your legal responsibility over the data. 

LegalVision cannot provide legal assistance with this topic. We recommend you contact your local law society.


How Franchisors Can Avoid Misleading and Deceptive Conduct

Wednesday 18 May | 11:00 - 11:45am

Ensure your franchise is not accused of misleading and deceptive conduct. Register for our free webinar today.
Register Now

New Kid on the Blockchain: Understanding the Proposed Laws for Crypto, NFT and Blockchain Projects

Wednesday 25 May | 10:00 - 10:45am

If you operate in the crypto space, ensure you understand the Federal Government’s proposed licensing and regulation changes. Register today for our free webinar.
Register Now

How to Expand Your Business Into a Franchise

Thursday 26 May | 11:00 - 11:45am

Drive rapid growth in your business by turning it into a franchise. To learn how, join our free webinar. Register today.
Register Now

Day in Court: What Happens When Your Business Goes to Court

Thursday 2 June | 11:00 - 11:45am

If your business is going to court, then you need to understand the process. Our free webinar will explain.
Register Now

How to Manage a Construction Dispute

Thursday 9 June | 11:00 - 11:45am

Protect your construction firm from disputes. To understand how, join our free webinar.
Register Now

Startup Financing: Venture Debt 101

Thursday 23 June | 11:00 - 11:45am

Learn how venture debt can help take your startup to the next level. Register for our free webinar today.
Register Now

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Our Awards

  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2019 Most Innovative Firm - Australasian Lawyer