Published: April 2018

The following are a minimum set of provisions an outsourced DPO contract should have. It must be emphasized that no contract should be drafted without undergoing legal review, especially as it relates to provisions impacted by local laws. There will also be a set of legal provisions common to any contract that is not shown below.

Parties: The controller’s or processor’s legal entity is one party, and the DPO firm or individual is the other party.

DPO’s services: At a minimum, this should list the Article 39 tasks and then should add any other duties carried out by the DPO within the DPO role.

Controller’s responsibilities: At a minimum, this should list the controller’s/processor’s obligations under Articles 37–38 and other obligations under local law.

Handling differences: Outlines the procedure engaged if the DPO and the controller/processor do not agree upon an important issue related to GDPR compliance and whether external counsel must be provided for.

Compensation: Whether a DPO is working on a fixed fee or hourly basis and how additional hours are handled/approved.

Limitation of liability: The DPO should limit “their potential liability to the controller or processor, perhaps to the amount of fees paid to the DPO for their services.

Indemnification: The DPO should be protected against any legal actions against them initiated by third parties regarding the services, such as those impacted by a data breach.

Conflicts of interest: There should be a clear statement that there are no known conflicts from the services and any future conflicts will be notified to the parties and addressed at that time.

Confidentiality: That the DPO will comply with professional duties of confidentiality or secrecy.

Training: How the DPO will maintain their competence in data protection and related areas.

Term: It is important to set an appropriate duration for the agreement that allows the DPO sufficient time to assess and implement the necessary changes to bring about GDPR compliance. 

Termination: Which duties will continue upon termination of the contract and how personal data is returned/deleted.

These provisions represent an excerpt from the IAPP book DPO Handbook, by Thomas Shaw, CIPP/E, CIPP/US. The DPO Handbook provides a comprehensive view of all aspects of the role of Data Protection Officers under the EU General Data Protection Regulation. The book is available in the IAPP Store in both print and digital editions.