2018 hit us with some shocking news. It started in February with a curious finding by Kromtech Security that the personal information of 199,000 FedEx clients was stored on a non-secure AWS server. Then, a subsidiary of Expedia, Orbitz, mentioned in March that a hacker used a legacy website to collect personal information, including credit card data, of 880,000 customers.
The biggest scandal, however, happened when Mark Zuckerberg began a 2-day marathon, answering 600 questions in front of the senate. He was invited to that marathon after announcing that the personal information of 90 million Facebook users was compromised due to just one line of code.
These and many other data breach events called for a revolution in the data privacy sector. This revolution started with the General Data Protection Regulation (GDPR). This regulation has affected all businesses that handle data of any EU citizen.
GDPR made every country-member of the EU and countries that process data of EU citizens take precautions to ensure that the personal data of their citizens is well protected. The data processing agreement (DPA) became a major player in ensuring compliance with GDPR between data processors and data controllers.
But what is data processing agreement, and how does it help keep your personal data protected? Who are data controllers and processors and how to know if your business has to sign a DPA contract?
You will find all the answers you need to draft the pitch-perfect DPA in our new blog.
What is DPA and why is it important?
Today, data is one of the most valuable assets that a company can operate with. The DPA ensures that security measures and data processing activities are compliant with GDPR policy, and that data providers are able to prevent any potential abuse or breach of data.
The EU data protection law states that any company can process the personal data of every citizen only if they sign a legally binding contract that regulates data processing. That contract is the DPA—Data Processing Agreement.
Personal data of every citizen can only be processed by any party if they sign a legally binding contract that regulates data processing.
A data processing agreement is signed either electronically, or in written form, and regulates the purpose and scope of processing personal data. Personal data is any information that can help identify a person: first and last name, date of birth, residence, username, email, etc.
This DPA contract will act as a proof that the service provider can securely process the personal data, prevent any incidents, and is compliant with every applicable law of data protection.
When is data processing agreement required?
In the era of digital transformation it is near impossible to operate a business without exchanging and processing information with others. Any company that operates in, but not limited to, the following areas, will have to sign a DPA to handle EU citizen’s data:
- Cloud storage
- Website analytics
- Contract lifecycle management
- Marketing services
- Financial Services
- Marketing agencies
- Software outsource companies
- SaaS companies
There are no legal restrictions from the GDPR regarding the structure of the data processing agreement. But if the data processor is located outside the EU, and personal data is transferred internationally, there are certain specifics to the format of documentation, such as corporate binding rules, standard contractual clauses, etc. We’ll go through them further down the article.
Do I need to sign a data processing agreement?
Pretty much anyone who is involved in the exchange of personal data with third parties should have a DPA contract signed. Now let’s have a more detailed look at the roles and responsibilities:
A data controller or a data exporter is a company that owns the data. They are the ones that hire a data processor and provide them with access to the data.
When your company hires an outsource accounting firm to manage your payroll, you provide them with employee names, positions, days of sick leave, wage, etc. Your company acts as the data controller in this case.
It is up to data controller to determine:
- The purpose of data collection
- How the data will be processed
Depending on the data subjects or special categories of data, it can be processed in different ways, and it is up to the controller to outline each of them.
A data processor or a data importer is a third party processing the data for the controller, a service provider.
That outsource accounting firm that is managing the payroll for your company receives all the required information from the controller. But the accounting firm can only use the provided data to calculate the payroll. This accounting firm is the data processor.
The data processor’s actions with data are limited by the actions stated in the DPA by the data controller. When the data processing agreement expires, the data processor is obligated to either delete the data or return it to the controller.
A data sub-processor is the third-party with whom the data is shared by the data processor.
If an accounting firm is out of accountants to manage your company’s payroll, they will have to outsource an accountant to take care of the part of the job. The outsourced accountant will be dealing with your company’s data on behalf of the accounting firm. This outsourced accountant is the sub-processor.
The processor and sub-processor will have to sign a DPA between them. Data processor can only share the data with the sub-processor with the prior consent of the data controller.
GDPR defines joint controllers as “two or more controllers jointly determining the purposes and means of processing”.
For example, your company rents vacation homes and signs a contract with a car rental company to add a value-added proposition to your clients. Now they can rent a car along with a vacation home. Both companies will be exchanging client information and using the same platform to sell their services. They are called joint controllers.
Joint controllers each remain responsible for their obligations, but are not required to have a contract between them. All they need is an agreement that outlines their roles and responsibilities and can be available to data subjects.
What are the data processing agreement requirements?
There is no definite structure of the data processing agreement template, as separate clauses may vary by industry.
All information on how to draft a data processing agreement template can be found in GDPR Articles 28 through 36, but it’s a very extensive read. That’s where document automation software for law firms really helps—after your legal operations feed the document automation software with relevant templates, it will take your lawyers no time to draft a perfect data processing agreement and adjust it to their current case or client.
There is no definite structure of the data processing agreement template, as separate clauses may vary by industry.
Below are the clauses deemed most important by the GDPR to include in your data processing agreement:
Every DPA must include the following:
- Which data is being processed
- How long will the data processor have access to the data
- Purpose and type of processing
- Categories of data subject and types of personal data
- Legal basis and purpose behind processing of personal data
- Rights and responsibilities of the controller and the processor
Your legal operations can also determine what the data subject is able to do with their information. For example, you provide your client’s data to the processor, and say that your client can remove, delete, edit, or retrieve their personal data from the processor’s database.
Acting in accordance with the instructions
It must be mentioned that the processor can only manage the data based on the instructions of the controller. Instructions can be written in any form or manner, including an email, and have to be reproducible.
The data processor can only act against the instructions if required to do so by the EU or member state law. For example, a data processor has to share personal data with the court that has issued an order to provide the necessary information.
If a processor acts in a way that is not described in the instructions from the controller, they decide the means of data processing. That makes them a controller in this action, and they will have corresponding liabilities.
Let’s say, the accounting firm shares your company’s data with an outsource accountant without your consent. In this case, the accounting firm becomes the data controller, and the outsourced accountant is the data processor.
Personal data confidentiality
The processor must be committed to protecting confidentiality of the entrusted data. This contract term should cover every processor’s employee that can access personal data, including third party and temporary employees.
Ensuring the adequate security measures, technical and organizational
The processor has to take all security measures to ensure the protection of personal data.
It is up to both the controller and the processor to have technical and organizational measures in place:
- Data encryption
- Resilience and integrity of processing systems
- Ability to restore data in case of an accident
- Regular test of the effectiveness of undertaken measures
Having a code of conduct and certifications, such as SOC-2, can help you demonstrate that your security measures are sufficient to be compliant with the GDPR.
It must me stated in the agreement that:
- The processor has no right to engage with a sub-processor without the controllers prior consent
- When employing a sub-processor under a general authorization, a processor should make the controller aware of any changes and allow the controller to object to them.
- A contract should be put in place between a processor and sub-processor, outlining the obligations
- The processor takes all liability for the sub-processor to the controller.
Basically, a processor should sign another data processing agreement with a sub-processor and indicate the controller as the main provider of the data.
Resolving subject access requests
The processor should be able to take measures, both technical and organizational, to assist the controller in managing data subject’s requests to take actions with their personal data.
Rights and privacy of data subjects
The processor must be able to help the controller to meet obligations in the following areas:
- Personal data security
- Notifying authorities of the potential breaches
- Notifying data subjects of the breaches
- Carrying out DPIAs (data protection impact assessments)
- Consulting with authorities when, according to a DPIA, the risk is too high and cannot be mitigated
Ways of assisting the controller to meet their security obligations must be made very clear in the agreement.
Duration of processing
Upon the expiration of the contract, the processor has to:
- Return or erase all the personal data that they have processed. It is up to the controller to decide which one.
- Erase all existing copies of the data unless required otherwise by the EU or member state law.
- Ensure that all data is erased in accordance with the security requirements
These terms are required to be sure that personal data is protected even after the agreement expires.
Audits and compliance
GDPR require the DPA agreement to include the following:
- Processor must provide the controller with a proof that all obligations of Article 28 are met
- Processor must allow and contribute to any audits carried out by the controller or an auditor that has been appointed by the controller
A good way for the processor to demonstrate compliance with Article 28 is to store records of any activities related to personal data processing, and being able to provide them for inspection upon request.
Exceptions for data processing agreement
Naturally, you don’t have to sign a DPA every time you engage with third-party services. Below are 5 cases that don’t need a DPA, because data protection compliance is already granted without the need for any additional contracts:
- Engaging with professional groups bounded by confidentiality. This includes lawyers, tax consultants, and auditors that work with personal information.
- Debt collection agencies with assignment of debt.
- Providers of matching services, such as recruiters.
- Clinical studies
- Large groups of companies under one management
Data is one of the most important aspects of business operations. Marketing campaigns, studies, researches, reports, and sales all depend on how much data can be gathered and analyzed.
A data processing agreement template must be set in place in order to protect your customers’ personal data from being compromised. It will also ensure that any third party services that you engage with won’t put you in a situation where you are held responsible for mishandling information provided to you by your clients.
After all, the amount of fine is 4% of the company’s annual revenue.
Despite the complexity of clauses, a DPA is a simple contract that has to be processed on a regular basis. Legal departments can sometimes deal with lots of such agreements every month.
To help them take care of routine contracts with zero effort, we have created AXDRAFT QuickDocs, a fully automated solution that gives your clients full control of turning out 100% compliant data processing agreements by filling out a small questionnaire on a public-facing template.
If you would like to learn more about other contracts, visit our other Contracts 101 posts that cover the fundamentals of non disclosure agreement, master service agreement, and a statement of work.
Want to see AXDRAFT document automation magic in action? Try our instant demo and get a ready-to-use NDA drafted in 57 seconds!