Data processor agreements: what to look for
Know what a solid processor agreement with your parking-software vendor must cover, so responsibility, security and your exit are all clear.
When you run parking through software, that vendor processes personal data on your behalf, and GDPR requires a written agreement to govern it. A good data processor agreement is not box-ticking — it defines who is responsible for what, and protects you if something goes wrong.
Roles, responsibilities and sub-processors
The agreement should state clearly that you are the controller and the vendor the processor, and that they act only on your documented instructions. It must also cover sub-processors — the other companies the vendor relies on — with a right to be informed of changes and to object.
A vendor that cannot tell you who else touches your data is a vendor you cannot properly assess.
- Confirm you are the controller and the vendor the processor
- Require processing only on your documented instructions
- List sub-processors and set a right to notice and objection
- Bind sub-processors to the same obligations
Security measures and data location
Look for concrete technical and organisational measures — encryption, access controls, breach notification within a defined timeframe — not vague assurances. Confirm where your data is stored and processed, and that any transfer outside the region has a lawful safeguard in place.
Exit and deletion terms
The hardest moment in any vendor relationship is leaving. The agreement should guarantee that you can export your data in a usable format and that the vendor will delete or return it, with proof, when the contract ends.
Rules on transfers and safeguards evolve, so review the agreement periodically rather than signing once and forgetting it.
- Guarantee data export in a usable, portable format
- Require deletion or return of data at contract end, with proof
- Review the agreement periodically as rules and services change
The takeaway
A strong processor agreement turns a software relationship into a clear allocation of responsibility — you know where your data lives, who can touch it, and how you get it back when you leave.
Keep reading
Bring this to your car parks
Talk to an OPARKO parking consultant about what fits your sites — no obligation.