Drafting a processor agreement: checklist under GDPR art. 28
As soon as you let an external party process personal data, a processor agreement must be in place. A cloud provider, a payroll administrator, a document destruction service, a marketing agency enriching your customer database: all processors in the sense of the GDPR. Article 28(3) prescribes the minimum elements the agreement must contain. Anyone who lets jobs run without a signed agreement is themselves in breach of the GDPR, even if the processor acts professionally. This article is a practical 13-point checklist.
Audience: SME owners, DPOs, procurement and anyone who regularly signs contracts with processors.
When is a processor agreement needed?
Only if the counterparty qualifies as a processor. That means: a party that processes personal data on behalf of and under instruction from you (the controller). A lawyer who litigates for you is not a processor, because they act independently. A document destruction service that handles your archives on your instructions: is a processor.
The agreement does not regulate the commercial deal itself. Price, volume and scope live in a separate framework agreement or quote confirmation. The processor agreement is purely about privacy.
The 13 points
1. Parties and roles
Who is the controller, who is the processor? Full name, Chamber of Commerce number, address, contact person and signing authority. No room for misunderstanding.
2. Subject, duration, nature and purpose of the processing
Describe specifically. Example: "the processing consists of mobile document destruction at the controller's location, at DIN 66399 P-5. Duration: per job, on average 2 hours. Purpose: secure destruction of personal data after the retention period has expired."
3. Types of personal data and categories of data subjects
Which categories do you process? Think of: names, addresses, BSN, copies of ID, financial data, medical data, etc. And which data subjects: clients, staff, patients, suppliers?
4. Instructions from the controller
The processor may only act on written or documented instructions. Stipulate that deviation is forbidden unless agreed in advance. This protects you from the processor acting on its own initiative.
5. Confidentiality obligation of staff
All staff who come into contact with the data are bound by confidentiality. Preferably with a reference to the employment contract or an individual statement. For sensitive sectors (legal, healthcare) also require a VOG.
6. Security measures (GDPR art. 32)
Describe what appropriate technical and organisational measures the processor takes. Examples: access control on site, encrypted transport, closed shredder truck, logging of executed jobs, physical security of storage. See also our article on GDPR requirements for document destruction.
7. Sub-processors
May the processor engage subcontractors? If so, under what conditions? Standard: prior written consent, or general consent with a notification duty for each new sub-processor. Sub-processors must be put under the same obligations ("flow-down duty").
8. Notification duty for data breaches
Within how many hours does the processor notify an incident? The GDPR does not prescribe a number, but 24 to 48 hours is common. That way you still have the 72-hour deadline at the AP. See our article on reporting a data breach in 72 hours.
9. Assistance with data subject rights
The processor assists you in handling requests from data subjects (access, rectification, erasure, data portability). Record how quickly and at what cost.
10. Assistance with risk assessment (DPIA)
If you have to carry out a Data Protection Impact Assessment, the processor supplies relevant information. For a destruction service that contribution is usually limited to technical documentation of the destruction.
11. Audit right
You may verify whether the processor complies with the agreements. That can be done via on-site inspection, via handover of certificates (ISO 27001, NEN 7510) or via an independent audit. Record frequency and cost allocation.
12. End of processing
What happens to the data at the end of the retention period, the job or the agreement? Deletion or return, within what period. For destruction this is self-evident: the data is destroyed at the end of every job. But metadata, log files and other residue also have to be regulated.
13. Liability and penalties
Not mandatory but sensible. Who bears a GDPR fine if the processor was negligent? The law allocates joint liability, but you can agree on indemnification between yourselves.
Need a processor agreement for document destruction?
We have a standard template ready that complies with GDPR art. 28. Sector-specific addenda for healthcare, legal, notarial and financial. Returned signed within a working day.
Request a quoteThe pitfalls
No agreement before the first job
"We will sign it later" is a GDPR breach from the moment the first data is transferred. Always sign before the job, not after.
Only general terms and conditions
General terms and conditions do not cover the 13 points. Some processors try to settle for "GDPR-compliant under general terms and conditions". Insufficient. Require a separate document.
No overview of sub-processors
With a cloud-hosted destruction administration, the processor may itself use a cloud provider (AWS, Azure). That is also a sub-processor. The list must be complete.
No update on change
If the processor goes through a takeover, move or adds a new sub-processor, the agreement must follow. Schedule an annual review.
Not signed
Sounds elementary, but it happens often: a draft sits in an email, nobody signed it back. Always ask for a signed version, preferably digitally signed via a recognised service.
Specifically for destruction providers
For a document destruction service, a few extra points belong in the agreement:
- DIN 66399 level (standard P-5 for all GDPR-relevant documents)
- Certificate per job with specific fields (see Certificate of Destruction)
- Mobile destruction on site versus offsite transport (see mobile vs offsite shredding)
- VOG screening of staff
- Sealed transport containers if offsite
- Logging of all site visits
What if the processor refuses to sign?
Sometimes large suppliers refuse a template you draft and impose their own version. In that case it is important to test against the 13 points. If something is missing, demand an amendment. If the supplier is completely inflexible and falls short: find another supplier. You bear the GDPR fine, not them.
Digital signature
A processor agreement can be perfectly signed digitally via DocuSign, AdobeSign, Zynyo or comparable services. Keep the signed version with audit log for at least 5 years after the end of the agreement.
Outsourcing destruction without an agreement? Call us or request a quote via desnipperaar.nl. We send the standard processor agreement along; sign it back and you are ready to go.