Data Processing Agreement (DPA)
What is a DPA?
A Data Processing Agreement (DPA) is a legally binding document to be entered into between the controller and the processor in writing or in electronic form. It regulates the scope and purpose of processing, as well as the relationship between the controller and the processor. The contract is important so that both parties understand their responsibilities and liabilities.
Why businesses need Data Processing Agreement?
It’s practically not possible to run a business without processing personal data and exchanging it with other businesses. It may be website analytics software, cloud storage, CRM or marketing platform, and whether you are controller, processor, sub-processor or joint controller, you have to construct a lawful Data Processing Arrangement with the party you exchange personal information.
GDPR does not have legal restrictions on the form of the Data Processing Agreement, however, if the processor is located outside EU and international data transfer happens, there are some specific requirements to the format of documentation, for example, standard contractual clauses, corporate binding rules, etc.
Considering the complexity of the task, it’s advisable to have a data processing agreement as a separate document.
Do I need to have a Data Processing Agreement?
If you exchange personal data with other parties, you should have a Data Processing Agreement in place. Articles 28 through 36 of the GDPR cover the requirements for data processing and data processing agreements. Let’s have a look at a bit more specific responsibilities of different roles.
Controller
The controller is responsible for establishing a lawful data process and observing the rights of data subjects. The controller defines the way how data processing takes place and at what conditions. The controller must have a data processing agreement with its processors.
Example: Company A collects itself customer data and stores it in an online SaaS CRM system provided by company B. In such a case, company A is controller and company B is a processor.×Dismiss alert
Processor
The data processor should handle the data exclusively in the manner demanded by the controller. The processor must have adequate information security in place, shouldn’t use sub-processors without the knowledge and consent of the controller, must cooperate with the authorities in the event of an enquiry, must report data breaches to the controller as soon as they become aware of them, must give the data controller the opportunity to carry out audits examining their GDPR compliance, must help the controller to comply with data subjects’ rights, must assist the data controller in managing the consequences of data breaches, must delete or return all personal data at the end of the contract at the choice of the controller, and must inform the controller if the processing instructions infringe GDPR.
Sub-processor
Sub-processor performs data processing on behalf of the processor. Data processors should have a data processing agreement with any sub-processors they use. The processor shouldn’t engage sub-processors without the prior consent of the controller.
Example: Company B provides an online SaaS CRM system, which is hosted on a platform of company C. As company B is the processor, company C is deemed as sub-processor.×Dismiss alert
Joint Controller
Article 26 defines joint controllers as two or more controllers jointly determining the purposes and means of processing. Regardless of those arrangements, each controller remains responsible for complying with all the obligations of controllers under the GDPR. Joint controllers are not required to have a contract, but you must have a transparent arrangement that sets out your agreed roles and responsibilities. Such information should be available to data subjects.
Example: A travel agency collects some portion of customer’s personal information (name and email) to book a hotel, then hotel collects the rest of the information (address, verifies ID, etc). As both perform a part of the same process, they are joint controllers.
What should be included in a data processing agreement?
Read the full article on GDPR Register website: Data Processing Agreement (DPA)
