What is a business associate agreement and when is it required in Ireland?

A Business Associate Agreement (BAA), known in EU and Irish law as a Data Processing Agreement (DPA), is a contract required under Article 28 of the General Data Protection Regulation (GDPR) whenever a data controller engages a data processor to process personal data on its behalf. In Ireland, this requirement applies to all organisations — whether companies registered with the Companies Registration Office (CRO), charities, sole traders, or public bodies — that share personal data with third-party service providers such as cloud hosting providers, payroll bureaux, IT support firms, marketing agencies, or HR platforms. The agreement must set out the subject matter, duration, nature and purpose of the processing, the type of personal data processed, the categories of data subjects, and the obligations and rights of the controller. The Data Protection Commission (DPC) in Ireland, established under Section 10 of the Data Protection Act 2018, actively enforces GDPR compliance and can impose administrative fines of up to €20 million or 4% of global annual turnover for serious infringements under Article 83 GDPR. Ireland is the lead supervisory authority for many major technology companies with EU headquarters in Dublin, making the DPC one of the most active data protection regulators in the EU.

What must an Irish GDPR data processing agreement contain?

Under Article 28(3) GDPR, a data processing agreement governed by Irish law must stipulate that the processor: (1) processes personal data only on documented instructions from the controller, including instructions regarding international transfers; (2) ensures all persons authorised to process the data are bound by confidentiality obligations; (3) implements appropriate technical and organisational security measures under Article 32 GDPR — in Ireland, the DPC's guidance on appropriate security measures sets out the expected standard; (4) assists the controller in fulfilling data subject rights requests under Articles 15–22 GDPR (access, rectification, erasure, restriction, portability, objection); (5) assists with data protection impact assessments (DPIAs) required under Article 35 for high-risk processing; (6) deletes or returns all personal data at the end of the service relationship at the controller's election; (7) provides all information necessary to demonstrate compliance with Article 28 obligations and cooperates with DPC audits; and (8) does not engage sub-processors without prior specific or general written authorisation from the controller. The DPC's published guidance and the European Data Protection Board (EDPB) guidelines on Article 28 should be consulted. Standard contractual clauses issued by the European Commission (2021 SCCs) should be incorporated for international data transfers outside the EU/EEA.

What are the data breach notification obligations under Irish GDPR law?

Under the GDPR as enforced in Ireland by the Data Protection Commission (DPC), a data processor must notify the data controller without undue delay — and in any event promptly — after becoming aware of a personal data breach affecting the controller's data. The controller must then assess whether the breach is notifiable to the DPC: notification is required within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of natural persons, under Article 33 GDPR. If the breach is likely to result in a high risk to the rights and freedoms of individuals — for example, identity theft, financial loss, or significant reputational damage — the controller must also notify the affected data subjects directly without undue delay under Article 34 GDPR. Failure to notify the DPC within 72 hours without a reasoned explanation, or failure to maintain records of all personal data breaches in a breach register, is itself an infringement of GDPR. The DPC provides a breach notification form and guidance at dataprotection.ie. The Business Associate Agreement should specify: the processor's obligation to notify the controller within a defined period (for example, 24 hours); the information to be provided in the notification; cooperation obligations during investigation; and indemnity provisions for processor-caused breaches.

Can an Irish business transfer personal data to processors outside the EU/EEA?

Personal data may only be transferred from Ireland, as an EU member state, to a country outside the EU/EEA where appropriate safeguards are in place under Chapter V of the GDPR. The main transfer mechanisms available to Irish businesses are: (1) an adequacy decision by the European Commission confirming the third country provides an adequate level of protection — for example, the EU-US Data Privacy Framework for transfers to certified US organisations; (2) Standard Contractual Clauses (SCCs) issued by the European Commission in June 2021, which must be incorporated into or annexed to the Business Associate Agreement without modification; (3) Binding Corporate Rules (BCRs) approved by the DPC for intra-group transfers within multinational organisations; and (4) approved certification mechanisms or codes of conduct under Articles 42–43 GDPR. The DPC in Ireland is responsible for approving BCRs submitted by organisations with their EU establishment in Ireland and monitors ongoing compliance with international transfer rules. Since the Schrems II ruling (Data Protection Commissioner v Facebook Ireland Limited, CJEU Case C-311/18, July 2020), Irish businesses must conduct a Transfer Impact Assessment (TIA) before relying on SCCs for transfers to high-risk third countries, to confirm the SCCs provide effective protection in practice.

Do I need a solicitor to create a Business Associate Agreement in Ireland?

A Business Associate Agreement in Ireland does not legally require a solicitor, and organisations may draft and execute the document independently provided they are familiar with the requirements of Article 28 GDPR and the Data Protection Act 2018. However, obtaining legal advice from a solicitor specialising in data protection law — or engaging a qualified Data Protection Officer (DPO) — is strongly advisable where the processing involves special category data under Article 9 GDPR (health, biometric, or genetic data), large-scale processing, or international data transfers. The Data Protection Commission (DPC) at dataprotection.ie publishes extensive guidance on controller-processor agreements and recommended contractual provisions. For public bodies in Ireland, the Department of Public Expenditure and Reform has issued model data processing clauses for government contracts. The High Court of Ireland and Circuit Court have jurisdiction over contractual disputes arising from BAAs. Where processing causes damage to data subjects, Article 82 GDPR gives individuals a right to compensation from either the controller or processor. The forms-legal.com Business Associate Agreement (Ireland) template incorporates the mandatory Article 28(3) GDPR provisions and can be adapted to specific processing arrangements.

Business Associate Agreement (Ireland)

GDPR Article 28 Data Processing Agreement under Irish law

Data Processing Agreement

DATA PROCESSING AGREEMENT (pursuant to Article 28 of Regulation (EU) 2016/679 — GDPR) This Data Processing Agreement ("DPA" or "Agreement") is entered into on [Agreement Date] between: [Controller Name], of [Controller Address] (the "Data Controller") and [Processor Name], of [Processor Address] (the "Data Processor"). This DPA forms part of and supplements the service agreement between the parties.

1. Definitions and Legal Basis

1.1 In this Agreement, "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council; "Data Protection Act" means the Data Protection Act 2018; "DPC" means the Data Protection Commission of Ireland; "personal data", "processing", "data controller", "data processor", "data subject", "personal data breach", and "supervisory authority" have the meanings given in Article 4 GDPR. 1.2 The Data Processor processes personal data on behalf of the Data Controller solely for the following purpose: [Processing Purpose]. 1.3 The types of personal data processed are: [Data Types]. 1.4 The categories of data subjects are: [Data Subjects]. 1.5 The duration of processing is: [Processing Duration].

2. Processor Obligations (Article 28 GDPR)

2.1 The Data Processor shall: (a) Process personal data only on documented instructions from the Data Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by EU or Irish law; in such case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law on grounds of public interest; (b) Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (c) Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR, including as appropriate: [Security Measures]; (d) Not engage another processor (sub-processor) without prior specific or general written authorisation of the Controller. Where sub-processors are used: [Sub Processors Allowed]. Currently approved sub-processors: [Sub Processor List]; (e) Assist the Controller in responding to requests from data subjects exercising their rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection); (f) Assist the Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIAs, prior consultation); (g) At the choice of the Controller, delete or return all personal data to the Controller at the end of the provision of services: [Retention Period]. Delete existing copies unless EU or Irish law requires storage; (h) Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller.

3. Data Breach Notification

3.1 The Data Processor shall notify the Data Controller [Breach Notification Hours] of becoming aware of a personal data breach. The notification shall include, to the extent then known: a description of the nature of the breach; the categories and approximate number of data subjects and records concerned; the name and contact details of the data protection officer or other contact point; the likely consequences of the breach; and measures taken or proposed to address the breach. 3.2 The Data Controller is responsible for notifying the Data Protection Commission (DPC) within 72 hours of becoming aware of a notifiable breach, in accordance with Article 33 GDPR, and for notifying affected data subjects where required under Article 34 GDPR. 3.3 The Processor shall maintain a record of all personal data breaches, including those not required to be reported to the DPC, in accordance with Article 33(5) GDPR.

4. International Transfers

4.1 International transfer outside EU/EEA applicable: [International Transfer]. Transfer safeguard used: [Transfer Safeguard]. 4.2 Where Standard Contractual Clauses are relied upon, the parties agree to be bound by the applicable SCCs as adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), which are incorporated into this Agreement by reference. 4.3 Following the CJEU judgment in Data Protection Commissioner v Facebook Ireland Ltd (Case C-311/18, Schrems II), the Processor shall conduct and maintain a Transfer Impact Assessment (TIA) for any transfers relying on SCCs to high-risk third countries and implement any necessary supplementary measures.

5. Liability and Governing Law

5.1 Where the Data Processor is responsible for a breach of this Agreement or applicable data protection law, the Processor shall be liable to the Controller for the damage caused. 5.2 Each party indemnifies the other against claims, penalties, or fines imposed by the DPC or any supervisory authority arising from that party's breach of GDPR or this Agreement. 5.3 This Agreement is governed by the laws of the Republic of Ireland and the parties submit to the exclusive jurisdiction of the Irish courts. The DPC is the competent supervisory authority. 5.4 This DPA supersedes any previous data processing agreements between the parties relating to the same processing activities.

Data Controller (Authorised Signatory)

________________

Signature

Data Processor (Authorised Signatory)

________________

Signature

Maintained by Vladislav Sergienko, Founder·Template last modified: 2026-06-23·Report an error

What Is a Business Associate Agreement (Ireland)?

A Business Associate Agreement in Ireland sets out what each party will provide, the consideration involved, and the responsibilities they take on for the arrangement, as regulated by the Companies Act 2014.

When Do You Need a Business Associate Agreement (Ireland)?

A Business Associate Agreement is needed whenever parties in Ireland wish to formalize their arrangement regarding business operations, corporate governance, and commercial transactions. There are numerous situations in which this document becomes essential for protecting the interests of all involved parties. In a business context, you may need a Business Associate Agreement when entering into new commercial relationships, when formalizing existing arrangements that have previously been informal, when expanding your business operations, or when restructuring existing agreements. Companies registered with CRO should confirm proper documentation is maintained for all significant business transactions. You should also consider using a Business Associate Agreement when there has been a change in circumstances that affects an existing arrangement, when you need to comply with new regulatory requirements, when you wish to update outdated documentation, or when professional advisors recommend formalizing certain aspects of your affairs. In Ireland, maintaining current and accurate legal documentation is considered established standards and can help prevent costly disputes. It is generally advisable to prepare a Business Associate Agreement before any issues arise, rather than trying to document terms after a dispute has already begun. Proactive documentation provides clarity and reduces the potential for misunderstandings. If you are unsure whether you need this document for your specific situation in Ireland, consulting with a qualified legal professional can provide guidance tailored to your circumstances. The timing of executing a Business Associate Agreement is also important. In Ireland, certain documents must be executed before specific actions are taken or within prescribed time periods to be effective. Delaying the preparation of necessary legal documents can result in complications, lost rights, or additional costs. Therefore, it is recommended to prepare this document as early as possible once the need has been identified.

What to Include in Your Business Associate Agreement (Ireland)

A well-drafted Business Associate Agreement for use in Ireland should contain several essential elements to confirm it is legally effective and provides adequate protection for all parties. Party Identification: The document should clearly identify all parties involved, including their full legal names, addresses, and relevant identification numbers. For individuals in Ireland, this may include identity card or passport numbers. For companies, registration numbers and registered addresses should be specified. Clear identification prevents disputes about who is bound by the agreement. Recitals and Background: The document should include background information explaining the context and purpose of the arrangement. This helps establish the parties' intentions and can be important in interpreting the terms of the document if any ambiguity arises later. The recitals section provides valuable context for the operative provisions that follow. Operative Terms: The core terms and conditions should be set out clearly and thoroughly. This includes the rights and obligations of each party, any conditions or prerequisites, the duration of the arrangement, and any limitations or restrictions. All key terms should be defined precisely to avoid ambiguity and potential disputes. Payment and Financial Terms: Where applicable, the document should specify any payments, fees, deposits, or other financial considerations. The amounts, currency (EUR), payment schedules, and methods of payment should be clearly stated. Any provisions for late payment, interest charges, or adjustments should also be included. Term and Termination: The document should specify its duration, including the start date, end date or conditions for expiry, and any provisions for renewal or extension. The circumstances under which either party may terminate the arrangement early should be clearly defined, along with any notice requirements and the consequences of termination. Dispute Resolution: The document should include provisions for resolving any disputes that may arise, such as negotiation, mediation, arbitration, or litigation. In Ireland, parties may choose to specify the jurisdiction of Irish courts and the applicable law. Including a clear dispute resolution mechanism can save significant time and expense if disagreements occur. Governing Law and Jurisdiction: The document should specify that it is governed by the laws of Ireland and that disputes shall be subject to the jurisdiction of Irish courts. This is particularly important in cross-border transactions or where parties are based in different jurisdictions. Signatures and Execution: The document must be properly signed by all parties or their authorised representatives. In Ireland, certain documents may need to be witnessed, notarised, or executed as deeds to be legally effective. The date of execution should be clearly recorded, and each party should retain an original signed copy for their records. The forms-legal.com Business Associate Agreement (Ireland) template covers the mandatory elements under Companies Act 2014.

Cite this page

Reference this free template in an article, syllabus, or research note:

APA

Forms Legal. (2026). Business Associate Agreement (Ireland) (Ireland) [Legal document template]. Forms Legal. https://forms-legal.com/ireland/business/contracts/business-associate-agreement-ireland

MLA

"Business Associate Agreement (Ireland) (Ireland)." Forms Legal, 2026, https://forms-legal.com/ireland/business/contracts/business-associate-agreement-ireland.

BibTeX

@misc{formslegal-business-associate-agreement-ireland,
  author       = {{Forms Legal}},
  title        = {Business Associate Agreement (Ireland) (Ireland)},
  year         = {2026},
  howpublished = {\url{https://forms-legal.com/ireland/business/contracts/business-associate-agreement-ireland}},
  note         = {Free legal document template. Based on Companies Act 2014}
}

Also available for these jurisdictions:

United States

Canada

New Zealand

Frequently Asked Questions

Based on Companies Act 2014 — Template last modified June 2026Verify the source →

This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer

Found an error? Let us know