Blogs / 

Are your data processing agreements prepared to withstand a cyberattack?

IT, Privacy & Cybersecurity

25 November 2025

Written by

Natascha van Duuren

Blog Image

Cyberattacks are increasingly targeting service providers that process personal data on behalf of multiple organisations. A data breach at such a service provider can have serious consequences for hundreds of organisations and millions of individuals. The Dutch Data Protection Authority (AP) recently examined the role of data processing agreements in major cyberattacks and issued recommendations to help limit the damage.

The data processing agreement as a foundation

The General Data Protection Regulation (GDPR) requires organisations and their service providers to record arrangements on the processing of personal data in a data processing agreement. The Dutch Data Protection Authority (AP) has found that, in practice, these agreements are often unclear or insufficiently specific. Because clear arrangements on responsibilities in the event of a data breach were lacking, the service provider did not inform the affected organisations in time or only partially. As a result, the victims were not adequately protected against the possible consequences of the data breach.

Three practical recommendations

The AP makes three clear recommendations for a robust data processing agreement:

1. Make the arrangements as concrete as possible
Do not simply repeat the obligations from the GDPR, but make concrete arrangements about:

  • Who processes which personal data, for what purpose, and for how long;
  • Who is the point of contact in the event of a data breach (for example, a shared mailbox);
  • Within what time frame and with what minimum content a data breach must be reported.

2. Maintain control over the entire supplier chain
Even when organisations outsource services, they remain responsible for their customers’ personal data. They must therefore ensure visibility across the entire chain, including sub-processors, their location, their security measures and the agreements made. A clear overview helps to enable rapid action in the event of an incident.

3. Prioritise drafting and maintaining data processing agreements
A data processing agreement should not be seen as a mere formality, but as a living document. Organisations must act in a timely and diligent manner, regularly review the arrangements, and ensure that employees possess sufficient knowledge of privacy and security. Sector templates can be used as a basis where appropriate, but must always be tailored to the organisation’s specific situation.

Practical tips

  • Maintain an up-to-date list of (reachable) contact persons for data breaches.
  • Agree on a short but realistic deadline for reporting data breaches.
  • Be transparent with customers and provide updates at fixed intervals, even if there are no new developments.
  • After an incident, evaluate what went well and what can be improved, and adjust processes where necessary.

Questions?

A solid data processing agreement is essential to limit damage in the event of a cyberattack and to comply with GDPR requirements. Would you like to know whether your data processing agreements meet the latest standards? Please feel free to contact Natascha van Duuren, Advocaat & Partner IT, Privacy & Cybersecurity.

Newsletter

Would you like to receive a monthly overview of updates and blogs in your inbox? Then sign up for our newsletter!