Data processing agreements (DPA) are an essential part for organisations which transfers or collects personal data from other organisations, where the purpose is determined by one of the parties. This blog post answer the questions of when a DPA is needed and what such agreement shall contain.
Published November 28th 2023
When and why is a data processing agreement needed?
A data processing agreement shall be signed between a Controller and a Processor. If you want to read up on the roles of controller and processor, please take a look at this blog post. To recap, a controller is the organisation who decide how and why personal data is processed. The processor is an organisation that processes personal data on behalf of another organisation.
So if your organisation shares personal data with another organisation, for example a IT system supplier, then you must enter a contract (a so called data processing agreement) which ties both parties to fulfill the requirements under the GDPR. The same agreement is necessary if your organisation process personal data on behalf of another organisation.
The contract must be in written format according to Article 28 of the GDPR. IN the same article you can find what needs to be regulated in the DPA.
Determine the relationship between the parties
It’s important to assess the roles of the organisations involved before you sign the agreement, who is the data controller and who is the data processor?
The controller is the entity that determines the purpose and means of the processing. A controller is thus a body that decides certain key elements about the processing: why the processing is taking place and how this objective shall be reached (the purpose). A controller is usually a legal person, for example a company, an organisation or municipality.
The processor process personal data on behalf of the controller and must always comply with, and act only on, instructions from the controller. The processor shall not go beyond what is instructed by the controller and the processor is always another than the controller.
A typical example is when a company (controller) uses an cloud service or IT program firm to provide a system where personal data can be processed. In such situation, the cloud service provider and IT firm are processors.
Is an agreement between processors necessary?
Yes. The DPA between a controller and a processor set the standards under which the involved sub-processors need to be obliged to follow as well. So, the processor needs to sign a sub-processing data agreement with the subcontractors that are involved in the personal data processing covered by the DPA.
Remember to not take for granted that it is a controller to processor case, since it is possible to be joint controllers if two organisations transfer personal data to each other. If both parties decide the purpose and means of the processing, then they are joint controllers.
Example from EDPB guidelines 07/2020
Companies A and B have launched a co-branded product C and wish to organise an event to promote this product. To that end, they decide to share data from their respective clients and prospects database and decide on the list of invitees to the event on this basis. They also agree on the modalities for sending the invitations to the event, how to collect feedback during the event and follow-up marketing actions. Companies A and B can be considered as joint controllers for the processing of personal data related to the organisation of the promotional event as they decide together on the jointly defined purpose and essential means of the data processing in this context.
Joint controllers shall enter into an arrangement, more commonly knows as a data sharing agreement. Read more about such arrangement in our blog post here.
Elements of a good DPA
After you have determined that you need to sign a DPA (determined the organisations roles as described above), there are a few parts a DPA must contain, here is a non-exhaustive list (from Article 28(3) GDPR):
- There shall be an obligation for the processor which ensure that the employees or other persons processing personal have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. That is usually stipulated in a non-disclosure agreement.
- Include information about the type of personal data and categories of data subjects concerned. Examples of category of data subject can be “employees” or “members”.
- It shall be prescribed that the processor shall implement appropriate technical and organisational measures for the processing of personal data at hand, since the processor is responsible for ensuring appropriate measures.
- Instructions from the controller which explains how the processing shall be performed as well as description for the processor’s tasks.
- Potential sub-processors, if the processor uses sub-processors, the agreement must ensure that the sub-processor adhere to the same requirements as the processor.
- At last, what will happen with the personal data when the agreement ends? The processor is not allowed to have access to the personal data longer than necessary, thus the DPA shall include information about whether the data shall be deleted and/or transferred when the agreement has expired.
The GDPR places a lot of responsibility on controllers and processors as well. A clearly formulated Data Processing Agreement will be useful and hopefully avoid any potential disputes!There is an official DPA, standard contractual clauses for controllers and processors in the EU/EAA that has been created by the EU Commission. You’ll find the standard clauses here.
Do you need help to determine a relationship or to draw up a Data Processing Agreement? We are happy to help you with your legal questions! You are welcome to contact us at firstname.lastname@example.org.
We also offer our own GDPR tool which helps you to fulfill the requirements of GDPR, feel free to book a demonstration to learn more about how you can become GDPR compliant. You can book the demo here.