What is a data processing agreement?
A data processing agreement (DPA) is a legally binding document between two parties where one instructs another to perform information actions on their behalf.
A data processing agreement (DPA), or data processing addendum, is a legally binding document that describes an arrangement between two organizations where one instructs the other to perform information operations on their behalf. For example, in the context of payroll, an employer may instruct a third-party human resources company each month to pay their employees on their behalf. In the context of telecoms, an organization may instruct a service provider to route calls, messages, or data traffic through their network.
A data processing agreement almost always entails a third party processing personal data. For this reason, data protection agencies have strict rules governing data processing agreements. These agreements are commonly between a controller (typically a company) and a processor (typically a third-party service provider), or may also involve a processor (third-party service provider) and a subprocessor (another third-party service provider or outside contractor), sometimes referred to as a subprocessing agreement.
If unsure whether you need a data processing agreement, you most likely do, and there could be dire consequences for not having one.
Why is a data processing agreement important?
Data processing agreements are important because data protection laws require an agreement whenever a controller instructs a processor or whenever a processor instructs a subprocessor.
There may be severe consequences for instructing a controller or processor if they fail to have a data processing agreement in place. For instance, some organizations have received fines too great to recover from.
It¡¯s important for an organization to understand data processing agreements regardless of what activities are happening within the processing chain because data process agreements affect your organization at all levels. For example, if you are a subprocessor, the agreement between the controller and processor will get passed to you by a subprocess review, so it is still going to affect you regardless of what role you play in the chain.
How do you benefit from having a data processing agreement?
Having a data processing agreement (DPA) is a legal requirement. Data protection laws generally require a controller to have a DPA in place whenever they use a processor and whenever the same processor uses a subprocessor. Without a DPA in place, you could receive fines from regulatory authorities if they deem one was required.
The data processing agreement protects the interests of all the parties involved by making sure each organization in the processing chain operates in compliance with relevant data protection laws and holds up its end of the bargain.
Data processing agreements help organizations meet certain minimal requirements for inclusion and protect data subjects through a system of checks and balances between the controller and processor or the processor and the subprocessor.
DPAs can also help you with information security. Many companies use third-party services to respond to data breaches, leaks, or other instances quickly, comprehensively, and effectively. Without the necessary paperwork to get immediate assistance from your processors or subprocessors, your company may not be able to perform the necessary actions to stick to certain information security requirements.
What should be included in a data processing agreement?
You can find and download many different examples and templates of data processing agreements online. It¡¯s important that your DPA include the following components:
- The subject matter and duration of the processing
- The nature and purpose of the processing
- The type of personal data and data subject categories
- The controller¡¯s obligations and rights
This may be easy enough to manage on your own if you have only a few contracts in place, but drafting contracts can get much more complicated when juggling dozens of negotiations at a time. It doesn¡¯t take long for oversights to occur if you don¡¯t have appropriate tools and resources. This is where access to technology solutions comes into play: a good contract management solution can help you efficiently aggregate historical data and create standardized agreement and clause templates.
Data processing agreement and GDPR.
The General Data Protection Regulation (GDPR) is considered the toughest privacy and security law in the world. It determines what companies can do with people¡¯s data in Europe. Companies such as Amazon, WhatsApp, Google, and Facebook have been fined more than $1 billion collectively for not complying with GDPR regulations.
GDPR requires a data controller and a data processor to have a contract in place when data processing occurs. To satisfy this GDPR requirement, companies can create a DPA to document how personal data will be processed. The DPA should include:
- Type of personal data being processed
- Duration of the information being processed
- Nature and purpose of the processing
- Controller¡¯s obligations and responsibilities
- Processor¡¯s obligations and responsibilities
Requirements for the data processor will also be included in the DPA, such as:
- Following the controller¡¯s instructions
- Keeping data confidential and secure
- Data breach notifications
- Ensuring compliance from all parties
- Allowing controller audits
How?to draw up a data processing agreement.
?
The controller often draws up the DPA to make sure the processor handles the controller¡¯s data properly but that doesn¡¯t always have to be the case. There are benefits for a processor or even a subprocessor to bring their own DPA themselves.
If you can¡¯t decide whether you¡¯re a controller or processor or need any assistance in drafting up a data processing agreement, contact? for assistance.