Introduction to Resource Center
This page provides an overview of the IAPP's Resource Center offerings.

Contact Resource Center
For any Resource Center related inquiries, please reach out to resourcecenter@iapp.org.

queue Save This


Published: April 2018

The following are a minimum set of provisions an outsourced DPO contract should have. It must be emphasized that no contract should be drafted without undergoing legal review, especially as it relates to provisions impacted by local laws. There will also be a set of legal provisions common to any contract that is not shown below.

Parties: The controller’s or processor’s legal entity is one party, and the DPO firm or individual is the other party.

DPO’s services: At a minimum, this should list the Article 39 tasks and then should add any other duties carried out by the DPO within the DPO role.

Controller’s responsibilities: At a minimum, this should list the controller’s/processor’s obligations under Articles 37–38 and other obligations under local law.

Handling differences: Outlines the procedure engaged if the DPO and the controller/processor do not agree upon an important issue related to GDPR compliance and whether external counsel must be provided for.

Compensation: Whether a DPO is working on a fixed fee or hourly basis and how additional hours are handled/approved.

Limitation of liability: The DPO should limit “their potential liability to the controller or processor, perhaps to the amount of fees paid to the DPO for their services.

Indemnification: The DPO should be protected against any legal actions against them initiated by third parties regarding the services, such as those impacted by a data breach.

Conflicts of interest: There should be a clear statement that there are no known conflicts from the services and any future conflicts will be notified to the parties and addressed at that time.

Confidentiality: That the DPO will comply with professional duties of confidentiality or secrecy.

Training: How the DPO will maintain their competence in data protection and related areas.

Term: It is important to set an appropriate duration for the agreement that allows the DPO sufficient time to assess and implement the necessary changes to bring about GDPR compliance. 

Termination: Which duties will continue upon termination of the contract and how personal data is returned/deleted.

These provisions represent an excerpt from the IAPP book DPO Handbook, by Thomas Shaw, CIPP/E, CIPP/US. The DPO Handbook provides a comprehensive view of all aspects of the role of Data Protection Officers under the EU General Data Protection Regulation. The book is available in the IAPP Store in both print and digital editions.

Tags: Privacy Law, Privacy Operations Management
Related Stories
DPO Report Template
This slide deck created by the IAPP research team offers a customizable template for a report to organizational leadership to help Data Protection Officers show the activities of the data protection team as well as record compliance with the General Data Protection Regulation....
Read More queue Save This
The IAPP's new DPO Report Template
2
Last month a question was posed on the Privacy List: "Does anyone have a template of an annual [or quarterly or any similar] DPO report to management that they would be kind enough to share?" The question generated dozens of responses that went something like, "Yeah, I'd like to see that too!," and ...
Read More queue Save This
2019 global legislative predictions
What will the new year bring in privacy and data protection legislation? Well, to name just a few highlights, we've got a handful of EU member states still needing to pass laws addressing the General Data Protection Regulation, India is in the midst of debate over a new law, Brazil's law will get th...
Read More queue Save This