A DPA is a written agreement between an organisation (‘data controller’) and a third-party organisation handling personal data for the controller (‘data processor’) that ensures that all processing tasks are carried out in accordance with both the EU’s General Data Protection Regulation (‘GDPR’).
The processing of personal data is almost always an issue in commercial relationships, to a greater or lesser extent. But even more so when concerning IT solutions. IT is, after all, by its very nature used for automated processing of data and many of those data qualify as personal data. Information is considered ‘personal data’ if a party has the means to trace the data back to an identifiable individual. This can therefore be data about the organization's own employees as well as data about customers or prospects.
We often see a single thought automatically pop up when discussing data privacy: "when personal data is processed, a data processing agreement must be concluded". Understandable, but that is very much the question. In a previous blog, we wrote that both the data controller and data processor should be included in the signing of a DPA. As the subject of DPAs is getting a lot of attention recently, we will explain the need for a DPA and the way to include it in the agreement further.
What role does the supplier play?
The preliminary question that must always be asked is: what role does the supplier or other third party play concerning personal data? Broadly speaking, these are the options:
- None: the third party does not process personal data. Consider the delivery of on premise software (at most, contact details of the contracting party are processed).
- Not relevant to privacy: personal data are processed, but the third party has no actual power. Think of automatic and passive transfer in telecom, where the personal data is routed through the third party for transmission, but they cannot access it, or the data is completely anonymous in transit.
- Third party is processor: the third party processes data purely on behalf of your organisation.
- Third party is controller: in this scenario, the third party processes the data for its own purposes.
Only in scenario 4 is it legally required to enter into an agreement with the third party about the processing of personal data.
In other situations, it may be necessary to test whether the processing is permitted under privacy law at all. You can use a data processing impact assessment (‘DPIA’) for finding the risks associated with the envisioned activity. Especially scenario 5, when a supplier is itself a data controller, raises many questions in practice (but occurs more and more!). These DPIAs are often considered difficult. Luckily, you can find European guidance (including a checklist) online, and there are tools available to automate the process.
What does a DPA look like?
Nowhere in the GDPR does it say that a processing agreement must necessarily be a separate document. The parties are therefore free to integrate the agreements on privacy into a more comprehensive contract. In practice, however, an annex to a contract is often referred to. To find out what needs to be included in such a document, please see our previous blogpost.