One way or another, almost all organisations rely on third parties for processing personal data in today’s digital world, creating a direct need for data processing agreements (DPA). Even the tools that are considered to be the basic necessities in business, such as email clients, CMS systems, data storage servers, or website analytics, all process personal data on behalf of organisations. With the introduction of the GDPR, there are strict requirements and guidelines on how this can be done in a compliant manner, through signed DPAs between the organisation (the data controller) and any party that acts as a data processor on their behalf. But what are Data Processing Agreements (DPAs), are they really necessary for you, what do they look like, and who needs to be involved from within your organisation?
What is a Data Processing Agreement (DPA)?
A DPA is a written agreement between an organisation (data controller) and a third-party organisation (data processor) that ensures that all processing tasks are carried out in accordance with both the GDPR and the data controller’s instructions.
To be even more specific, the GDPR defines DPAs as a legally binding document to be entered into between the data controller and the data processor, either in writing or electronic form. The DPA acts as an agreement that clarifies the responsibilities, obligations, and clauses for all involved parties to act upon.
Who, When and How?
Who signs a DPA?
The main parties involved in signing a DPA are of course the data controller and data processors, but every other party involved in the processing of your organisation’s data should also be included. An example of another party involved would be a sub-processor - let’s say your organisation has outsourced accounting to company B, but company B outsources the payroll responsibilities within their task to company C. Company C then becomes a sub-processor, and both company B and C would be required to sign a DPA with your organisation. Every party that plays a role must be well informed of their duties, and will have the same legal obligations towards GDPR compliance as the ‘original processor’.
What needs to be in a DPA according to the GDPR?
According to Article 28(3) GDPR, the below eight key points should definitely be included in a DPA:
1) That the data processor agrees to process personal data only on written instructions provided by the data controller.
2) Every individual that works with the personal data is sworn to confidentiality.
3) That adequate technical and organisational measures are taken to ensure the security of the data.
4) The data processor agrees to not subcontract to another processor unless clearly instructed to do so in writing by the controller. This would mean that the same data protection obligations as set out between the controller and the processor should be agreed with the sub-processor (in accordance with section 2-4 of Article 28 GDPR).
5) The data processor agrees to help the data controller in upholding their obligations under the GDPR, especially surrounding the data subject’s rights.
6) That the data processor agrees to aid the data controller in maintaining GDPR compliance in regard to Article 32 GDPR (security of data processing) and Article 36 GDPR (consulting with the Data Protection Authority before going ahead with processings considered high-risk).
7) The data processor agrees to erase all personal data or return the data to the controller, upon a termination of services.
8) That the data processor must allow the controller to carry out an audit, and will provide information necessary to prove compliance.
Although these may be a lot of points to include, by doing so, not only are you ticking a box on the GDPR compliance ‘to-do list’, but you also provide your organisation and the parties involved the opportunity to clarify what is expected and how to carry out tasks. Additionally, these points also provide room for your organisation to identify potential problems and rethink procedures to be further aligned with the GDPR.
Example of a DPA
To give you a bit more insight, let’s look at a common and simple example of a situation where a DPA is required between a data controller and a processor.
Let’s say an organisation is using an email marketing tool like Mailchimp to distribute its internal and external newsletters. By doing so, they are able to measure and gain insight into how subscribers engage with the emails. In this case, a DPA is required between the organisation and the service (Mailchimp), which needs to include the responsibilities that explain the handling of user requests or contact forms. Additionally, it may also cover:
• Definitions of terms that are referred to in the DPA
• The type(s) of emails and data that will be processed and categorised
• Overview of obligations between the data controller and data processor in accordance with the GDPR
• The different types of personal data and information received from the emails on how it’s categorised
• The categories of data subjects which could include the data controller’s contacts such as employees, contractors, customers, and other end users
• The length of time that emails are kept and the duration of time processing is carried out
• Details on email encryption and other security measures
• Obligations and responsibilities of each party in the event of a data breach
There are also great, credible, resources online, such as this DPA template from GDPR.eu, to ensure your agreements are in line with the GDPR.
First steps to take in preparation of drafting a DPA
Most DPAs would unavoidably hold plenty of legal jargon, but at the end of the day, the agreement should be clearly understandable for all parties. In order to make sure that those without a law degree or practice in data protection also have a stable understanding of the DPA, it can be helpful to provide the glossary of the EDPB, which can be accessed easily from here. Then, have an open discussion with all parties involved.
Mapping data usage and determining risk
Before drafting a DPA, you should be aware of what category of personal data is involved specifically. The GDPR categorizes personal data into the categories or regular data and special category data. Regular personal data includes information such as names and birth dates, and special category data includes sensitive information, such as financial and biometric data.
Your organisation should be very much aware of what category of personal data the DPA will be referring to, as special category data requires higher levels of data protection measures. Your data processors should also understand the sensitivity of the data they process on your behalf, and align their security measures appropriately.
Data mapping can be a very handful tool for this, as well as performing a Data Protection Impact Assessment.
Know the roles
Before getting started on creating a DPA, your organisation should identify each party involved and what their main responsibilities will be for this specific agreement. Investigate if there are more than one data processors or any sub-processors involved. It’s also important to know that whereas processors are expected to act solely under the guidance of the data controller, sub-processors perform under the guidance of the processors. Therefore, including clauses dealing with both roles can significantly reduce misunderstandings and misguidance, which otherwise could prove to be costly.
Additionally, if your organisation is a joint controller, and the means and purposes of your data processings are determined jointly, the other controllers may also need to be considered. Although the GDPR doesn’t explicitly state that joint controllers require a contract between them, it’s strongly recommended to consider making transparent arrangements in writing between the controllers, that clearly points out agreed roles and duties.
Lastly, conducting Vendor Risk Assessments is also strongly advised before drafting a DPA. Establishing in the agreement how each party is involved and to what level in responding to DSARs will be of great value when the time comes.
The key things to look out for when signing a DPA
When it comes down to signing a DPA that may not be drafted by you, there are a couple of key things that you should pay special attention to:
Guarantees from processors
One imperative factor to make sure of in any DPA, is that your data processor provides adequate guarantees for the protection of the personal data you transfer to them. The GDPR makes it clear that in the event of a data breach, both the data processor and data controller could be held accountable regardless of which party fell victim to the breach. That being said, data controllers should choose data processors that implement appropriate safeguards. In particular, the GDPR states that controllers should identify processors with expert knowledge, reliability, and measures that will meet the requirements of the regulation. This includes proper data security, as pointed out in Article 28(1) GDPR.
Consistency is key
The DPA should clearly highlight that data processors will not be able to process your organisation’s personal data for any other purposes than what’s been communicated in the DPA and by the data controller(s). It may be essential that your organisation conducts audits to see that the processor uses the transferred data in a way that’s been established and agreed on within the DPA. It’ll also be helpful to make sure that the scope of a processor’s DPA isn’t broader in comparison to the original legal basis your organisation established for processing personal data.
When establishing responsibilities and tasks, ensure that there isn't room for misinterpretation. This can be done by, for example, affirming and confirming time limits in which the data processor should process DSARs. Be sure to also provide contact details, so that should there be any problems, the parties know where to turn. Naturally, checking in regularly and building a clear, open, and personal, relationship might also prove beneficial, leveling any reservations, making you top of mind when possible incidents occur.
Take good care of your DPAs
Even though it may be a lengthy document to create that can require quite a bit of prep work like data mapping, DPIAs, time investment, and resources, at the end of the line, it’s all worth it. Data processing agreements play a crucial role in your compliance with the GDPR, and ensures that all duties are appropriately aligned with the regulation. Through DPAs, organisations can further improve procedures and security initiatives over data handling, can even reduce the risk of a data breach or incident, and increase accountability and efficiency. Overall, the DPA serves as a backbone to guide all parties in the journey of maintaining your organisation’s consistent long-run data protection efforts.