The Data Processing Agreement
Strong data protection in IT outsourcing agreements begins with a compliant data processing agreement. Under GDPR Article 28, any contract where a provider processes personal data on your behalf must include a written DPA requiring the provider to act only on your documented instructions, keep its personnel under confidentiality, apply appropriate technical and organisational security measures, assist with data-subject rights, submit to audits, and delete or return data at termination. Enterprise legal teams now treat a comprehensive DPA as table stakes — but the provider's standard template is the floor, not the ceiling, and the same red-lining discipline that applies to managed services clauses applies here. This sits inside the broader IT outsourcing contract negotiation framework.
Sub-Processor Liability
The trap most buyers miss is the chain of sub-processors behind their provider. Under Article 28(4), a provider may only engage sub-processors under an agreement that imposes protections equivalent to your DPA — and where a sub-processor fails to meet its data-protection obligations, the original provider remains fully liable to you for that failure. Your contract should require disclosure of every sub-processor, a right to object to new ones, and flow-down of equivalent terms, including audit rights. This connects directly to the broader controls in security requirements in IT outsourcing contracts, and to the offshore-specific exposure covered in nearshore versus offshore.
You can outsource the processing, but not the liability. A breach at a fourth-party sub-processor you never approved is still your regulatory exposure — which is why sub-processor disclosure and flow-down clauses are non-negotiable.
Breach Notification and the 72-Hour Clock
When personal data is breached, the controller has just 72 hours from becoming aware to notify its supervisory authority. That clock does not wait for your provider. The outsourcing contract must therefore require the provider — and every sub-processor — to notify you of a personal data breach without undue delay, which in practice means within hours, not days, and with enough detail for you to meet your own 72-hour deadline. A vague "prompt notification" clause is worthless against a regulatory countdown; specify a defined window and the minimum information the notice must contain. Tie this into the incident-response and escalation paths covered in dispute resolution mechanisms.
Cross-Border Transfers and Residency
Where data leaves the EEA, the contract must rest on a valid transfer mechanism — an adequacy decision (15 countries as of 2026), Standard Contractual Clauses, or Binding Corporate Rules. But SCCs alone are no longer a safe harbour. In April 2026 the Dutch Data Protection Authority fined a taxi platform €100 million for transferring EU personal data abroad despite having signed SCCs, concluding the clauses were insufficient given the destination country's surveillance and government-access risk. The defensible standard now pairs SCCs with architectural controls — data-residency enforcement and in-jurisdiction encryption key custody — which the outsourcing contract should require explicitly, especially for offshore delivery.
| Transfer mechanism | What it covers | 2026 buyer note |
|---|---|---|
| Adequacy decision | 15 approved countries | Cleanest route where available |
| Standard Contractual Clauses | Most third-country transfers | No longer sufficient alone — pair with technical controls |
| Binding Corporate Rules | Intra-group transfers | Slow to approve; useful for large groups |
| Residency enforcement | Data kept in-jurisdiction | Increasingly the defensible standard |
Data Return, Destruction, and Audit
Finally, the DPA must govern what happens to your data at the end. The provider should be obliged to return all personal data in a usable format and to delete remaining copies on termination, with certification of destruction — a provision that overlaps directly with the handover obligations in IT outsourcing exit strategy and transition planning. Audit rights must extend to sub-processors, and where a third party audits the provider, that audit report must be made available to you for scrutiny. Without enforceable return, destruction, and audit clauses, you cannot prove compliance — and proof is exactly what regulators now demand.
Data protection is no longer a schedule to skim. For the full framework, download the IT Outsourcing Negotiation Guide, explore our IT outsourcing negotiation service, or request a confidential briefing on your specific agreement.