All tools
Business

GDPR Clauses Generator

Generate GDPR-compliant data processing clauses for service contracts — covering purpose limitation, data security, retention, processor obligations and data subject rights.

Data Processing Agreement Purpose limitation Data minimisation Retention periods Processor obligations Sub-processor controls
Get started free Sign in

Free · No credit card · 50 credits/day

Core GDPR data processing clauses

GDPR clause Requirement Article
Purpose limitation Process data only for specified purposes; no incompatible secondary use Art. 5(1)(b)
Data minimisation Collect only what is necessary — no data "just in case" Art. 5(1)(c)
Retention & deletion Define and document how long each data type is kept; delete or anonymise after Art. 5(1)(e)
Security measures Implement appropriate technical and organisational security measures Art. 5(1)(f) + Art. 32
Processor obligations Processor acts only on controller's documented instructions; cannot engage sub-processors without authorisation Art. 28
Data subject rights Processor assists controller in responding to access, erasure and other rights requests Art. 28(3)(e)

Frequently asked questions

When do I need a Data Processing Agreement (DPA)?

Required under GDPR Article 28 whenever you engage a data processor (third party that processes personal data on your behalf). Common examples: cloud hosting (AWS, Azure), email marketing (Mailchimp), CRM (Salesforce), payment processors (Stripe). Many large platforms provide their own DPA. Must specify subject matter, duration, nature, purpose, data types, data subject categories, and both parties' obligations.

What are the key GDPR data processing principles?

Seven principles (Article 5): (1) Lawfulness, fairness, transparency; (2) Purpose limitation — only for stated purposes; (3) Data minimisation — only what's necessary; (4) Accuracy — keep data up to date; (5) Storage limitation — defined retention periods; (6) Integrity & confidentiality — appropriate security; (7) Accountability — controller must demonstrate compliance.

What must a Data Processing Agreement include under GDPR?

Process only on controller's documented instructions; confidentiality obligations for processing staff; appropriate security measures (Art. 32); sub-processor restrictions; assistance with data subject rights; assistance with security, breach notification and DPIAs; data deletion/return on termination; audit rights. Missing elements = non-compliance for both parties.

What is a DPIA and when is it required?

A Data Protection Impact Assessment (DPIA) identifies and minimises data protection risks. Mandatory (Art. 35) for processing "likely to result in high risk": systematic profiling, large-scale special category data, or systematic monitoring of public areas. Must describe processing, assess necessity, identify risks, and identify mitigations. If high risks remain, consult your supervisory authority before processing.

Related tools

More legal and compliance tools.

Privacy Policy Generator

Generate a GDPR-compliant privacy policy for your website or app.

Terms & Conditions Generator

Generate T&Cs for your website or app.

Contract Generator

Generate basic service and freelance contracts.

Handle personal data with confidence and compliance

Free account. 50 credits per day. Access to 75+ tools instantly.

Create free account →