In the absence of a data processing agreement or other written contract, it is unlawful for a data controller to use the services of a processor or for a data processor to process personal data on behalf of a data controller. International data transfers can be made under certain conditions, even if the third country has received an adequacy decision from the European Commission. The U.S. has not received an adequacy decision, but transfers are allowed if the recipient U.S. company is part of the privacy shield framework. But how do you show data processors what you expect from them? With a data processing agreement. Here is an example of a Capsule that writes as a data processor. It authorises the data controller to carry out audits, but also sets out the terms of this agreement. Whenever data processing is carried out by a data processor, it is important to have a clear data processing agreement. . . .