One of the key obligations under the General Data Protection Regulation is to frame the relationship between data controllers and processors where personal data is transferred between them. This requires auditing existing agreements to ensure the appropriate provisions are in place. Where they are not, an addendum must be signed to incorporate them.

What must a DPA include?

Article 28 of the GDPR sets out the mandatory provisions that must appear in all agreements between controllers and processors:

  • The processor’s obligation to act only on the controller’s documented instructions, and the prohibition on processing data without such instructions.
  • The obligation to ensure confidentiality.
  • The detail of security measures to be implemented.
  • The conditions for engaging sub-processors.
  • Assistance to the controller in responding to data subject rights requests.
  • Assistance with security, breach notification and impact assessment obligations.
  • The obligation to delete or return personal data at the end of the agreement.
  • Making available all information necessary to demonstrate compliance.

Each party’s obligations must be set out with precision. In the event of an inspection by the supervisory authority, this information must be produced on request. The DPA is typically included as a schedule to the SaaS agreement. For subprocessor-related issues, see the article on subprocessing in SaaS.

Resources for compliance

The main reference is the CNIL website. Standard processing clauses drafted by CNIL lawyers are available at: https://www.cnil.fr/fr/sous-traitance-exemple-de-clauses. They can be adapted to most non-sensitive personal data processing and offer various options for allocating responsibilities.

International data transfers

Where the processing relationship involves transfers of personal data outside the European Economic Area, specific conditions apply. Since the invalidation of the Privacy Shield by the CJEU (Schrems II, 16 July 2020), the primary transfer mechanism is the standard contractual clauses (SCCs) adopted by the European Commission in June 2021. For transfers to the United States, the EU-US Data Privacy Framework (DPF) adopted in July 2023 provides an alternative transfer basis, provided the US recipient is certified under the framework.

It is advisable to carry out a Transfer Impact Assessment (TIA) to verify that the level of data protection in the destination country is adequate. For an overview of the key provisions in a SaaS agreement, see the SaaS contracting guide.

Conclusion

Bringing your contracts into GDPR compliance is not a theoretical exercise. It is an obligation verified by supervisory authorities and by your customers. A DPA that complies with Article 28 and up-to-date transfer mechanisms protect you from sanctions and strengthen your partners’ confidence. If you need to audit your agreements, book a call.

Other posts


Blog image
SaaS Exit Fees Under the Data Act: What You Can Challenge

The Data Act limits what SaaS vendors can charge when you switch providers. Permitted fees, prohibited charges, and the 2027 deadline explained.

Lire Plus
Blog image
How to Terminate a SaaS Agreement Under the Data Act: Practical Guide

Stuck in a SaaS contract your company no longer needs? The EU Data Act gives you a legal right to switch providers. Eligibility, process, and pitfalls.

Lire Plus

Let's build together to grow your business

Book a Call
Contact Me

I have been supporting software and SaaS companies for over 10 years, helping them structure their business, protect their intellectual property and strengthen their contracts.

Pacaud Avocat - Accueil
Pages
HomeServicesThe FirmPricesResourcesSaaS Contracting GuideTrademark Filing GuideContact Me
Services
IT AgreementsIntellectual PropertyE-CommerceFractional CLOTerminate my SaaS
Legal
Legal NoticePrivacy Policy
Consent Banner

Ourama - Website creation for lawyers