Reading time: 5 minutes

The European Union’s (EU) General Data Protection Regulation (GDPR) impacts how Australian businesses collect and process personal data globally. A business which fails to comply with the GDPR can face hefty fines up of €20 million or 4% of annual global turnover, whichever is greater. Consequently, you should know your obligations under the GDPR, including your responsibilities when processing data. This article summarises whether the GDPR will apply to your business and what you may need to include in your data processing agreement.

Does the GDPR Apply to My Business?

The GDPR applies to your business if you collect data and you are:

  • established in the EU;
  • offering goods or services to EU-based individuals (whether free or paid); or
  • monitoring EU residents’ behaviour.

After establishing if GDPR applies to your business, you should determine whether you are a ‘controller’ or ‘processor’. Understanding this distinction will assist you in meeting your obligations relating to the personal data you collect.  Personal data refers to information which identifies an individual, such as their name, phone number or medical records.

A controller refers to a business which decides how personal data will be processed, whereas a business will be considered a processor if it deals with or process data based on another business’ instructions.

Processed data refers to data which has experienced an operation, such as:

  • collection;
  • organisation;
  • storage;
  • adaption; or
  • alteration. 

What is a Data Processing Agreement?

Under the GDPR, if a processor deals with data, then there must be a contract in place which binds the processor and controller. A data processing agreement is exactly this — a legally binding document between a processor and a controller which follows the rules set out in the GDPR.

The data processing agreement covers data processing as well as the relationship between the parties. Further, the agreement helps the parties understand their respective obligations and liabilities and should assist them in complying with the GDPR.

The data processing agreement does not need to be drafted as a new and separate document. Instead, businesses may include a data processing agreement as an addendum or schedule to an existing commercial agreement. If so, these documents will be referred to as a data processing addendum or data processing schedule. Regardless of how you draft and refer to the agreement, the substance should be the same.

When Do I Need a Data Processing Agreement?

Under the GDPR, controllers must make sure that personal data they handle remains safe and protected. Similarly, the GDPR requires data processors to implement technical and organisational measures which will protect consumer’s data and keep them compliant with the GDPR.

It is a legal requirement under the GDPR for controllers and processors to have an agreement in place. However, a controller should not simply rely on the expertise of processors to handle their users’ data since a controller may still be liable for a processor’s data breaches. Therefore, controller’s should be careful to choose processors which have adequate measures in place to limit the likelihood of data breaches occurring.

Within Australia, there are a number of steps you must take to respond to a data breach. This includes:

  • assessing the seriousness of the breach;
  • notifying the Office of the Australian Information Commissioner and the people affected by the breach; and
  • recommending how the people affected by the breach should respond, such as by changing their password or enabling two factor authentication.

What Should a Data Processing Agreement Include?

The data processing agreement should bind the processor to the controller and include essential information such as the:

  • subject-matter of the data processing;
  • duration of the processing;
  • nature and purpose of the processing;
  • type of personal data that will be processed (such as medical or financial records);
  • identities of the people or businesses whose data will be processed; and
  • controller’s rights and obligations.

The data processing agreement should also specify the processor’s obligations, and in particular should set out that the processor:

  • only processes personal data requested by the controller, including transfers of personal data to non-EU countries or international organisations;
  • ensures that whoever authorises the personal data processes will keep all information confidential;
  • implements appropriate technical and organisational measures to ensure the personal data is secure, for example by using encryption;
  • must not delegate to sub-processors without the data controller’s written consent;
  • assists the controller in responding to requests from data subjects when they exercise their rights under the GDPR;
  • supports the controller in ensuring compliance with its obligations in relation to data breach or data protection impact assessments;
  • deletes or returns all personal data to the controller when the controller so decides; and
  • will assist the controller’s compliance with the GDPR, such as by helping out with audits and inspections. A clause should also set out that the processor must inform the controller if one of the controller’s instructions infringes the GDPR or any other data regulation.

Key Takeaways

If your business collects or processes personal data and you fall under the scope of the GDPR, you will be considered either a ‘controller’ or a ‘processor’. The GDPR requires a processor to be bound to a controller through a data processing agreement. This agreement should set out the relationship between the parties and how the data should be processed. A controller should also be aware that they may be liable for a processor’s data breaches. Consequently, a controller should endeavour to be aware of the processor’s data processes and their level of organisation.

Overall, this is a complex area of law and there is no one size fits all approach for data processing agreements. If you need help drafting a data processing agreement or would like to discuss your obligations under the GDPR, call LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.


How to Sponsor Professionals For Your Healthcare Organisation

Thursday 24 March | 11:00 - 11:45am

Plug skill shortages in your healthcare organisation by sponsoring professionals from overseas. Learn how in our free webinar.
Register Now

Everything You Need to Know about SaaS Agreements

Thursday 7 April | 11:00 - 11:45am

Understand which contracts will protect your SaaS contract from risk, and how. Register for free today.
Register Now

What to Consider When Buying a Tech or Online Business

Wednesday 13 April | 11:00 - 11:45am

Learn how to get the best deal when buying a tech or online business. Register for our free webinar today.
Register Now

Corporate Governance 101: Responsibilities for New Directors

Wednesday 27 April | 11:00 - 11:45am

If you are a new company director, join our free webinar to understand your legal compliance obligations. Register today.
Register Now

Rogue Directors and Business Divorces: How to Remove a Director

Thursday 28 April | 11:00 - 11:45am

Removing a board director is not simple. Join our free webinar to learn how to handle rogue directors. Register today.
Register Now

Employment Essentials for Tech Businesses

Thursday 5 May | 11:00 - 11:45am

Protect your tech business and your employees by understanding your employment legal obligations. Register for our free webinar today.
Register Now

How to Protect and Enforce Your Trade Mark

Wednesday 11 May | 11:00 - 11:45am

Protect your business’ brand from copycats and competitors. Register for this free webinar to learn how.
Register Now

How Franchisors Can Avoid Misleading and Deceptive Conduct

Wednesday 18 May | 11:00 - 11:45am

Ensure your franchise is not accused of misleading and deceptive conduct. Register for our free webinar today.
Register Now

How to Expand Your Business Into a Franchise

Thursday 26 May | 11:00 - 11:45am

Drive rapid growth in your business by turning it into a franchise. To learn how, join our free webinar. Register today.
Register Now

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2019 Most Innovative Firm - Australasian Lawyer