Articles 28 to 36 of the GDPR cover the requirements applicable to data processing and data processing agreements. This is a pretty large amount of information, but let`s put it in more manageable terms that you can apply to your business. Processing by a processor is covered by a contract or other legal act under Union or Member State law, which binds the processor to the controller and defines the object and duration of the processing, the nature and purpose of the processing, the nature of the data and categories of data subjects and the obligations and rights of the controller. Articles 28 to 36 of the GDPR define the conditions for the exchange of data and the conditions relating to personal data between the controller and the processors. Here are the main topics to cover in your data processing agreement. The GDPR requires inclusion in your data processing agreement: for example, if you collect personal data from users on your website and then use a third party to process an aspect of your business strategy, you want to know that this data caterer is operating within the framework of GDPR compliance and is doing what it should be doing with your users` important data. If you want to create or update a data processing agreement, the information above should help you break down the requirements of the GDPR into more manageable steps. Where a processor is entrusted with transformation activities, the controller should only use processors that offer sufficient guarantees, including expertise, reliability and resources, to take technical and organisational measures in accordance with the requirements of this Regulation, including the security of processing. If your data processor violates compliance, processes data incorrectly, or is a victim of a data protection breach, a data processing agreement can legally protect you by demonstrating that you have complied with your duty of care to ensure that the company you have partnered with has followed the appropriate procedures. Article 36 covers situations in which a data protection impact assessment presents a high risk and sets out the procedure to be followed by controllers, processors and supervisory authorities for communicating, and sets deadlines for the period during which supervisory authorities should advise the controller and/or processor in order to improve the situation, so that data processing can begin safely. Compliance with the GDPR requires data controllers to sign a data processing agreement with all parties acting on their behalf as data processors….