One important element of the legislation is the requirement for data controllers to enter into a Data Processing Agreement (DPA) with data processors.
Most businesses rely on third parties to process personal data. Whether it’s an email client, a cloud storage service, or website analytics software, you must have a data processing agreement with each of these services to achieve GDPR compliance.
The term “processing refers to anything you can possibly do with someone’s personal information such as collecting it, storing it, monetizing it or destroying it.
If your company is subject to the GDPR, you must have a written data processing agreement in place with all your data processors. It is one of the most basic steps of GDPR compliance and necessary to avoid GDPR fines.
GDPR compliance requires data controllers to sign a data processing agreement with any parties that act as data processors on their behalf.
What is a DPA?
A DPA is a legally binding document to be entered into between the controller and the processor in writing or in electronic form. It regulates the particularities of data processing – such as its scope and purpose – as well as the relationship between the controller and the processor.
GDPR Article 28, Section 3, explains in detail the eight topics that need to be covered in a DPA. You must include the following:
- The processor agrees to process personal data only on written instructions of the controller.
- Everyone who comes into contact with the data is sworn to confidentiality.
- All appropriate technical and organisational measures are used to protect the security of the data.
- The processor will not subcontract to another processor unless instructed to do so in writing by the controller, in which case another DPA will need to be signed with the sub-processor (pursuant to Sections 2 and 4 of Article 28).
- The processor will help the controller uphold their obligations under the GDPR, particularly concerning data subjects’ rights.
- The processor will help the controller maintain GDPR compliance with regard to Article 32 (security of processing) and Article 36 (consulting with the data protection authority before undertaking high-risk processing).
- The processor agrees to delete all personal data upon the termination of services or return the data to the controller.
- The processor must allow the controller to conduct an audit and will provide whatever information necessary to prove compliance.
The GDPR requires data controllers to take measures to ensure the protection of personal data they handle. If data controllers decide to outsource certain data processing activities, they must be able to demonstrate that their suppliers and sub-processors also provide sufficient guarantees to protect the data and are GDPR compliant.
If you are a controller and, as a result of outsourcing, you wish to transfer your data to a third-party, for example a cloud provider, you need to sign a DPA with that third party.
Even if you are not a controller, but a processor, and decide to outsource your activities you’ll need to sign a DPA and ensure that any other sub-processor in the chain complies with the requirements of the GDPR.
You must ensure that your processors provide sufficient guarantees for the protection of the data transferred to them. Under the GDPR, if there is a data breach, even if it’s on the side of the processor, you, as a controller, might be held responsible. Therefore it is important to choose processors that implement sufficient measures to minimize the risk of a data breach. Processors must also take sufficient measures to decrease the effect of a breach and to inform you in due course.
Data processors should not be able to process your data for any other purpose than what’s the purpose of your DPA and of the outsourcing. Therefore, you should check how the processor will use the data you transfer to it; whether it is in accordance with your contract or whether the processor intends to use the data for its own purposes. You will need to make sure that the scope of the processor’s DPA is not broader than the original legal basis you have for processing the personal data.