What Is DPA? All You Need to Know About the Data Processing Agreement
Need help onboarding international talent?
In 2018, European Union put a new data protection regulation into effect. The change affected almost every business in the world that had access to personal data of their users. Now, companies needed to do an in-depth review of business processes and documentation to ensure their policies and procedures comply with the new guidelines regarding confidential information of data subjects.
Why did the new regulation impact so many businesses? Because most of them use third-party services for personal data processing. Some use website analytics software, while others choose to keep their data in cloud storage.
The GDPR (General Data Protection Regulation) introduced the DPA as one of the changes. The new rules are strict, so every business needed to have this addendum in place in order to keep doing business with the mentioned third-party services.
But what is a DPA, really? This article will provide you with a better understanding of the topic.
What is a DPA agreement?
Let's define DPA first.
The data processing agreement (DPA) is a legal document that needs to be signed to ensure that the data processor will handle the data provided by the data controller properly, following the guidelines of the GDPR.
The contract is valid both as a written agreement and in electronic form. Its main purpose is to determine the way the data processor will handle the data provided by the data controller, like the scope of the data, its purpose, or any other entities that will have access to this data.
Why do you need a DPA?
Data is one of the most valuable assets for many companies today, and that’s why having a DPA is critical for doing business for them. To prevent a potential data breach and abuse, companies need to make sure security measures are in place and that processing activities are compliant with the GDPR.
If a data controller wishes to outsource customer data processing activities to a third-party company, such as a cloud service, they need to sign a DPA. That document proves that the service provider they choose to collaborate with is able to guarantee secure processing of personal data, prevent any security incidents and that they comply with all the applicable data protection laws.
What happens if you don’t sign a DPA with the data processor?
For example, your company collects customer data for marketing and sales purposes. If you’re going to use the services of another company to store, analyze, structure, or later on, delete the data, you will need to draft and sign a DPA to ensure that the company is never operating outside of GDPR compliance and misusing the data you provide.
In case the third-party service provider breaches the contract and mishandles the data, the DPA gives you legal protection because you stayed compliant with the GDPR, and the data processor company was the one who wasn’t following the procedure without prior consultation with you.
If you haven’t signed the agreement with your data processor, you may be the one that needs to take responsibility for the data breach since you failed to use adequate measures to ensure data protection.
Other than financial consequences your company will suffer in this case, you risk losing the trust of your customers who will probably refrain from leaving you personal information in the future.
Who signs the DPA?
A DPA is primarily signed by two sides: a data controller and a data processor (the processor signs the DPA with any further subprocessors).
Who is the data controller?
Simply put, the data controller is the person or a company that owns the data. They hire a third-party data processor and give them access to the data.
The data controller determines the purpose of the data collected and is probably the person who collected it. They also decide how the data processor will process the data subject information, which can vary depending on categories of data subjects, or special categories of data.
Data controllers are also called data exporters.
Who is the data processor?
The data processor is a third-party service provider who processes the data for the controller.
The data processor isn’t allowed to do anything else with the data they have access to, but what the contract with the data controller states.Also, at the end of the contract between the processor and controller, the data processor company is in obligation to delete or return the processed data.
Data processors are also called data importers.
Stay compliant with localized contracts
Generate contracts in seconds. We’ll ensure you’re compliant with local labor laws, no matter where your team lives.Learn more
What does the standard Data Processing Agreement look like?
You won’t get your DPA wrong if you follow the GDPR guidelines, although they are quite extensive. Not all DPAs will look the same as they may vary by industry, and there may be a different number of parties involved.
If you rely on the GDPR while drafting the DPA for your needs, ensure that the content covered in Articles 28 through 36 is included in your agreement. The amount of information there may be overwhelming, but it’s everything you need to be sure your draft is GDPR compliant.
Please mind that for Europe, it is legally required to have a DPA in place. In other countries, it is strongly recommended (not legally required) to implement a data processing agreement, so that the parties fully understand their respective responsibilities with respect to the collection, use, and protection of personal data, and if there is ever an incident involving personal data. That is: entering into such DPA will aid in demonstrating compliance and protecting your business’s interests.
Here’s what the typical DPA looks like.
- Capitalized terms/Definitions
To ensure the clarity of the contract, it’s necessary to define the terms written in capital letters and used throughout the document. Capitalized terms are usually found at the beginning of the contract and you may find terms such as:
- EEA (European Economic Area)
- Personal Data
- CCPA (California Civil Privacy Act)
- Data Protection Laws
- Data Subject
- Europe (which includes European Union, the EEA, and/or the member states - the United Kingdom and Switzerland)
- Personal Data Breach
- Standard Contractual Clauses, etc.
- Data Subject Requests
The data subject may be given specific controls over their information. For instance, they may be able to retrieve, edit, or remove their Personal Data.
The agreement needs to involve any sub-processors that the data processor may outsource.
- Transfer of personal data outside of EEA
You may also need to specify the location where the data can be stored due to particular restrictions related to the transfer of personal data outside the EEA. This clause protects such data even if it’s stored in a country that’s not part of the EU.
- Technical and organizational measures clause
Data processor needs to take specific technical and organizational measures to ensure the security of the data provided by the data controller. The data importer (processor) is the party that has the obligation to provide sufficient guarantees related to organizational and technical security measures, and this clause is typically part of Appendix 2.
- Additional provisions
For example, a common clause is the Data Protection Impact Assessments and Consultation with Supervisory Authorities.
This clause legally binds the data processor to provide the data subject with the requested information in case they can’t access it by themselves. They are obligated to provide reasonable assistance and data protection impact assessments, along with prior consultations with supervisory authorities or another data protection authority competent in the subject matter.
- Standard Contractual Clauses
They’re established between the data exporter and the data importer, i.e. the data processor and the data controller. These clauses can include the obligations of these two entities, a third-party beneficiary clause, liability, a clause about cooperation with supervisory authorities.
There may be an Appendix to the Standard Contractual Clauses, where you can find definitions of different terms used in the contract, such as data importer, data exporter, special categories of data, etc.
A quick note: If you already have a DPA template and are in California, you may want to update it this year. A new privacy law will become effective on January 1, 2023 and will refer to all data collected during 2022. The new regulation, under the name of CPRA, has been voted with the goal of closing the loopholes that can currently be found in the existing California Civil Privacy Act. You can check the details here and reach out to a professional for any additional legal advice.
When is a Data Processing Agreement required?
Every time you want to transfer a specific set of data to a third-party entity for the purpose of being processed, you need to draft and sign a DPA with the company you’re collaborating with. This agreement protects you in case of a data security breach.
If we haven’t addressed all your concerns regarding the Data Processing Agreement, take a look at the following section with the most frequently asked questions.
What is GDPR?
The General Data Protection and Regulation law from 2018 is a new data privacy law put into effect to ensure a higher level of data security in the world. Despite being drafted by the European Union, every organization and business around the world needs to ensure GDPR compliance if their work involves customer data processing of any kind.
What is customer data processing?
To draft a DPA correctly, you need to know exactly what data processing refers to. The term includes data collection, storing or recording, data organization, monetization, data use or deletion, and any other activity related to processing personal data. It's critical to ensure that the data processor company does not exceed the legal basis for processing this data, i.e. that they stick to the original purpose of the activity.
Is customer data deletion allowed?
Data deletion is by definition a data processing activity. Even that falls under the GDPR. Unlawful destruction of customer data may also be fined.
What personal data falls under the DPA?
Any type of data that can serve you to identify the person whose data is being processed is subject to the DPA. Even if you handle pseudonymous information about your customers, it falls under the DPA in case you can identify a natural person behind the pseudonym.
Does a processor sign a DPA with a subprocessor?
A processor needs to sign a DPA with any subprocessors they collaborate with. If the data controller outsources specific data processing activities to a data processor, and they involve a subcontractor, everyone needs to ensure sufficient guarantees for data protection.
What happens if there’s a data security breach?
The data importer and the data exporter need to collaborate at all times to ensure maximum security for the data they’re responsible for. However, if there’s a breach, the data processor is obligated to inform the data controller of such an event and cannot under any circumstances withhold such information. They also have to assist the data controller in data protection impact assessment if possible and cooperate with the authorities in case of an audit.
Even when there is no breach, a Data Protection Officer is appointed to the data processor as the GDPR requires it. By strictly following the controller’s instructions, the data processor can ensure that all the procedures will be followed as they should.
Does a DPA need to be a separate document?
It’s not a legal requirement to create a separate document in order to sign a DPA with a data processor. However, it’s a complex document stating plenty of legal obligations you need to comply with, so it’s recommended to draft a DPA separately from regular contracts you sign with clients or partners.
Is there a fine if you’re not compliant with the GDPR?
There is. In fact, the fines for non-compliance with the GDPR are extremely strict and may cost businesses up to €20 million euros, or 4% of its global revenue.
But that’s not where the issues end if a business is guilty of not following the GDPR. Data subject’s rights include asking for damage compensation from the organization that abused their personal data.
Disclaimer: This article is for informational purposes and does not constitute legal, tax, or any other advice. Always check the official Data Protection Authorities website for more information.