A Data Processing Agreement (DPA) is a legally binding document to be entered into between the controller and the processor in writing or electronic form. It regulates the scope and purpose of processing, as well as the relationship between the controller and the processor. The contract is important so that both parties could understand their responsibilities and liabilities.
It’s practically not possible to run a business without processing personal data and exchanging it with other businesses. It may be website analytics software, cloud storage, CRM or marketing platform, and whether you are controller, processor, sub-processor or joint controller, you have to construct a lawful Data Processing Arrangement with the party you exchange personal information with.
GDPR does not have legal restrictions on the form of the Data Processing Agreement, however, if a processor is located outside the EU and international data transfer happens, there are some specific requirements to the format of documentation, such as standard contractual clauses, corporate binding rules., etc.
Considering the complexity of the task, it’s advisable to have a data processing agreement as a separate document.
It’s not only EU GDPR that requires organisations to sign Data Processing Agreement when exchanging personal data. By 2023, multiple countries worldwide have adopted similar regulations and require organisations to sign DPAs. The following countries require Data Processing Agreements to be signed:
If you exchange personal data with other parties, you should have a Data Processing Agreement in place. Articles 28 through 36 of the GDPR cover the requirements for data processing and data processing agreements. Let’s have a look at a bit more specific responsibilities of different roles.
The controller is responsible for establishing a lawful data process and observing the rights of data subjects. The controller defines the way how data processing takes place and under what conditions. The controller must have a data processing agreement with its processors.
Example: Company A collects customer data and stores it in an online SaaS CRM system provided by company B. In such a case, company A is the controller and company B is a processor. × Dismiss alert
The data processor should handle the data exclusively in the manner demanded by the controller. There are following requirements applied to Processor and should be reflected in Data Processing Agreement:
Sub-processor performs data processing on behalf of the processor. Data processors should have a data processing agreement with any sub-processors they use. The processor shouldn’t engage sub-processors without the prior consent of the controller.
Example: Company B provides an online SaaS CRM system, which is hosted on a platform of company C. As company B is the processor, company C is deemed as a sub-processor. × Dismiss alert
Article 26 defines joint controllers as two or more controllers jointly determining the purposes and means of processing. Regardless of those arrangements, each controller remains responsible for complying with all the obligations of controllers under the GDPR. Joint controllers are not required to have a contract but must have a transparent arrangement that sets out roles they agreed upon and responsibilities.
Even if there is no legal requirement in the GDPR for a contract or other legal act, the European Data Protection Board (EDPB) recommends in its guidance that such arrangement be made in the form of a binding document such as a Joint Controller Agreement or other legal binding act under EU or Member State law to which the controllers are subject.
The Joint Controller Agreement would provide certainty and could be used to evidence transparency and accountability. Indeed, in case of non-compliance with the agreed allocation provided in the arrangement, its binding nature allows one controller to seek the liability of the other for what was stated in the Joint Controller Agreement as falling under its responsibility.
The essence of such arrangements should be made available to data subjects. Your privacy policy would be the right place to include this information.
Example: A travel agency collects some portion of a customer’s personal information (name and email) to book a hotel, then the hotel collects the rest of the information (address, verifies ID, etc). As both perform a part of the same process, they are joint controllers. × Dismiss alert
Articles 28 through 36 of GDPR set conditions of data exchange and conditions of personal data between controller and processor. Here are the most important subjects you have to cover in your data processing agreement.
A useful tip that will save your time
The same details are described in the records of processing activities. We recommend first creating your records of processing activities and then filtering activities related to the processor or controller you are signing the data processing agreement with.
In GDPR Register, activities and data processing agreements are interconnected. So you will easily find such information and integrate it into your agreement.
The controller-processor agreement must say that the processor may only process personal data in line with the controller’s documented instructions (including when making an international transfer of personal data) unless it is required to do otherwise by EU or member state law.
An instruction can be documented by using any written form, including email. The instruction must be in a reproducible form so that there is a record of the instruction.
This contract term should make it clear that it is the controller, rather than the processor, that has overall control of what happens to the personal data.
If a processor acts outside of the controller’s instructions in such a way that it decides the purpose and means of processing, then it will be considered to be a controller in respect of that processing and will have the same liability as a controller.
The controller-processor agreement has to say that the processor must obtain a commitment of confidentiality from anyone it allows to process the personal data unless that person is already under such a duty by statute.
This contract term should cover the processor’s employees as well as any temporary workers and third-party workers who have access to the personal data.
The controller-processor agreement sets an obligation on the processor to take all security measures necessary to meet the requirements for the security of processing (see Article 32).
Both controllers and processors are obliged to put in place appropriate technical and organisational measures to ensure the security of any personal data they process which may include, as appropriate:
Codes of conduct and certification may help processors to demonstrate sufficient guarantees that their processing will comply with the GDPR.
The agreement must say that:
The Data Processing Agreement has to provide for the processor to take appropriate technical and organisational measures to help the controller respond to requests from individuals to exercise their rights.
The controller-processor agreement has to say that, taking into account the nature of the processing and the information available, the processor must assist the controller in meeting its obligations to:
The controller-processor agreement should be as clear as possible about how the processor will help the controller meet its obligations.
The Data Processing Agreement has to say that at the end of the contract, the processor must:
It should be noted that the deletion of personal data should be done in a secure manner, in accordance with the security requirements of Article 32.
The DPA has to include these terms to ensure the continuing protection of personal data after the contract ends. This reflects the fact that it is ultimately for the controller to decide what should happen to the personal data being processed, once processing is complete.
Under Article 28(3)(h) the Data Processing Agreement has to require:
This provision obliges the processor to be able to demonstrate compliance with the whole of Article 28 to the controller. For instance, the processor could do this by giving the controller the necessary information or by submitting it to an audit or inspection.
Keeping records of the processing activities would be useful for the processor to demonstrate compliance with Article 28. Requirements for processors to maintain records of their processing activities are set out in Article 30(2).
For international trade and international cooperation, personal data must flow into and out of the European Union. A Third Country is any country outside the European Economic Area (the “EEA”), but the transfer of such personal data from the EU to controllers and processors located outside the EU should not reduce the level of protection of the individuals concerned. The General Data Protection Regulation Chapter V should therefore be strictly followed when transferring data to third countries or international organisations.
There are different basis for transfer available and they influence how should Data Processing Agreement be formulated.
The existence of an “adequacy decision” should be taken into account before transferring personal data to a third country. An adequacy decision means that the European Commission has determined that a third country or an international organization provides an adequate level of data protection.
The European Commission considers factors like laws, adherence to human rights and freedoms, national security, data protection laws, the existence of a data protection authority, and legally binding agreements the country has made regarding data protection when determining whether the level of protection is adequate.
List of countries with the adequacy decisionFor those countries there is no requirement of providing additional safeguards and standard Data Processing Agreement can be used.
If the country where the personal data is transferred does not have the Adequacy Decision, the data can still be transferred if controller or processor has implemented appropriate safeguards. Among these protections could be:.
The European Commission has approved these sample data protection clauses, which when incorporated into a Data Processing Agreement allow for the free flow of personal data. The SCCs include rights for the people whose personal data is transferred as well as contractual obligations for the Data Exporter and Data Importer. These rights are directly enforceable by individuals against the Data Importer and Data Exporter. Between a controller and another controller, there are two sets of standard contractual clauses for restricted transfers, and between a controller and a processor, there is only one set.
The European Commission has made updated Standard Contractual Clauses available on 4th of June 2021.The three sets of SCCs that were previously adopted under the previous Data Protection Directive 95/46 have been replaced with the new SCCs. After 27 September 2021 it’s not possible to sign new contracts basing on Data Protection Directive 95/46 . For contracts that were signed before 27 September 2021, controllers and processors may still rely on those earlier SCCs until 27 December 2022, provided that the processing operations covered by the contract don’t change. All new Data Transfer Agreements signed after 21 September 2021 have to rely on updated SCCs and by 27 December 2022 all existing agreements have to be migrated to updated SCCs .
Binding Corporate Rules are internal codes of conduct that operate within a multinational group of companies and are legally binding. They are applicable to the transfers of personal data from the group’s EEA entities to its non-EEA entities. This group could be a corporation or a collection of businesses that are involved in a joint economic activity, like joint ventures or franchises. BCRs are legally binding data protection rules that have been authorised by the relevant Data Protection Authority.
Two different BCR types may be approved: BCR for Controllers, which group entities use to transfer data under their control, like employee or supplier information, and BCR for Processors, which are used by organizations that act as processors for other controllers and are typically added as an addendum to the Service Agreement or Data Processing Agreement. Additional guidelines for the use of BCRs as a suitable safeguard for personal data transfers are provided in GDPR Article 47.
The GDPR’s Article 40 (3) introduced the use of Codes of Conduct as a transfer mechanism in certain situations. Codes, which are optional, specify specific data protection guidelines for various controller and processor categories. They can be a useful and effective accountability tool, providing a thorough explanation of the most appropriate, ethical, and legal behavior within a sector.
Therefore, from the perspective of data protection, codes can serve as a guide for controllers and processors who create and carry out GDPR-compliant data processing activities that give practical meaning to the data protection principles outlined in European and national law.
Codes of Conduct that are applicable to the processing of personal data by controllers and processors in more than one EU Member State and for which the EU Commission has adopted an implementing act, along with legally-binding agreements made by the controller or processor in the third country, may be used as a transfer tool.
The Article 42(2) of the GDPR states that certification mechanisms may be created to show the existence of suitable safeguards provided by controllers and processors in third countries. Additionally, these controllers and processors would agree to adhere to the safeguards, which would include provisions for data subject rights.
According to Article 46 (2)(a) of GDPR, a restricted transfer may be made by an organisation if it is one public authority or body transferring to another public authority or body. This agreement or other document must contain enforceable rights and practical recourses for the people whose personal data is transferred. This is not a suitable safeguard if either the receiving organisation or the sending organisation is a private entity or an individual. A public authority or body may consider an administrative arrangement that includes enforceable and effective individual rights as an alternative if it lacks the authority to enter into legally binding and enforceable agreements (Article 46 (3)(b) of GDPR).
Derogations under Article 49 are exceptions to the general rule that states that personal data may only be transferred to a third country if that country offers an adequate level of protection. Before using the derogations allowed by Article 49 (1), a Data Exporter should first try to frame transfers with one of the mechanisms guaranteeing adequate safeguards listed above. These exemptions or derogations permit transfers in certain circumstances, such as those based on consent, for the performance of a contract, for the assertion of legal claims, to safeguard the data subject’s vital interests when they are unable to give consent, or for significant public interest considerations.
If required by GDPR, the data processor shall appoint a Data Protection Officer and both parties must agree on a periodic review of the terms of the DPA.