What is a data processing agreement and when do you need one?
Data processing has become an integral part of business operations. With the increased use of cloud-based services and outsourcing, companies must understand the roles of data controllers and data processors and the legal agreement between them, known as a Data Processing Agreement (DPA).
In this article, we will dive deep into the responsibilities of data controllers and data processors, explore real-life examples of their roles, and discuss the importance of having a DPA to ensure compliance with the European data protection regulation (GDPR). A fine for non-compliance may cost you up to €20 million, or up to 4% of the annual global turnover of the preceding fiscal year, whichever is higher. Whether you’re a business owner, a data professional, or simply curious about how personal data is managed, this article is a must-read to understand data processing and its legal implications. So, let’s begin!
Data Controller or Data Processor?
The data controller and the data processor are the two main players in the personal data processing. The data controller determines the purpose and means of processing personal data, while the data processor carries out the data processing on behalf of the data controller.
The responsibilities of each differ. On the one hand, the data controller is primarily responsible for ensuring personal data is processed in compliance with the GDPR. For example, this includes obtaining valid consent, processing data lawfully, and providing data subjects with access to their data when requested.
On the other hand, the data processor is responsible for processing personal data according to the data controller’s instructions and supporting the data controller in meeting their obligations. This means implementing appropriate technical and organisational measures to protect the data, informing the data controller of any data breaches, and helping the data controller fulfil their obligations to data subjects.
Data Processing Agreement
A data processor must have a contract with their data controller to comply with the GDPR, which should be in the form of a legally binding agreement, a DPA, outlining each party’s roles and responsibilities concerning processing personal data.
Here are some typical situations when a DPA is necessary. If you answer YES to at least one of these questions, then you need a DPA.
- Do you use or provide cloud services?
- Do you hire an IT service provider to maintain IT systems or provide technical support?
- Do you manage email marketing campaigns or targeted advertising through a marketing service provider?
- Do you outsource payroll management, benefits, or other HR functions to an HR service provider?
- Are you using an analytics service provider?
While it is common for service providers to offer their data processing agreement template, it’s essential to check whether all legal requirements are met.
Your DPA should detail and cover essential aspects such as the type, duration, and purpose of personal data processing. Additionally, it should outline the security measures and authority of the data processor, as well as provide a clear process to handle data breaches. You can’t forget about data controller’s audit rights. By prioritising a well-crafted DPA, businesses can ensure compliance with the GDPR.
Checklist for Data Processing Agreement
Use our checklist to make sure your data processing operations are legally sound:
Clearly state the purpose for which the data is being processed and the duration of the processing.
Describe the types of personal data being processed, the specific purposes for which it is being processed, and provide instructions for processing the data.
Identify the categories of individuals whose personal data is being processed.
Outline the technical and organizational measures that will be implemented to ensure the security of the personal data.
Specify the subprocessors, if any, and require that the subprocessors be subject to the same obligations as the data processor.
Include provisions for data breaches and require the data processor to notify the data controller of any personal data breaches.
Require the data processor to assist the data controller in fulfilling data subjects’ rights under the GDPR.
Include provisions for the data controller to carry out audits or inspections of the data processor’s processing activities.
Specify the circumstances under which the agreement can be terminated and require the data processor to delete or return personal data to the data controller upon termination.
How can Logan & Partners help? Any concerns? Feel free to book a free 20-minute consultation with our data protection lawyer.