Data Processor Agreement

From Open Risk Manual


Transfers of Personal Data from a Data Controller to a Data Processor must be secured by a Data Processor Agreement. It must meet certain minimum requirements, as set forth by Article 28 of the General Data Protection Regulation and Article 29 of Regulation (EU) 2018/1725.

The contract must stipulate that the data processor shall act only on instructions from the data controller. The data processor must provide sufficient guarantees in respect of the technical security measures and organisational measure governing the processing to be carried out, and must ensure compliance with such measures.