Updated GDPR Data Processing Agreement Guidance

Updated GDPR Data Processing Agreement Guidance

The European Data Protection Board (EDPB) has published an opinion that has significant implications for data processing agreements (DPAs). It's crucial for all businesses covered by the EU General Data Protection Regulation (GDPR) to note this updated guidance.

Any transfer of personal data from a controller to a processor must be covered by a DPA. A DPA is a legally-binding agreement between the parties designed to ensure GDPR compliance.

The EDPB's opinion recommends a lot of additional details and obligations. You may need to update your existing DPAs to meet the EDPB's recommendations.

This article will guide you through the new recommendations and provide some examples of existing DPAs that meet them.


Data Processing Agreements

The GDPR requires processors to only process personal data subject to a DPA. Failure to have a DPA in place when working with a processor is a very serious GDPR violation.

The DPA serves to ensure that the processor only processes personal data for a specific purpose. The DPA also allows the controller, and ultimately data subjects, to retain autonomy over the personal data after transferring it to the processor.

The GDPR's requirements are already extensive in this area. Article 28 of the GDPR states that DPAs must set out details of the scope and purpose of the data processing, specify how personal data will be protected, and impose legal obligations on both parties.

The EDPB's Opinion

The EDPB is the EU's independent data protection body, comprising representatives from each EU country's Data Protection Authorities.

The GDPR allows Data Protection Authorities to submit standard clauses for inclusion in DPAs. The EDPB's Opinion 14/2019, published July 2019, comes in response to a submission by the Danish Data Protection Authority (known as the Datatilsynet).

The EDPB's opinion critiques the Datatilsynet's proposed standard DPA clauses, recommending changes to bring them more in-line with the requirements and spirit of the GDPR. The opinion is not legally binding. But it tells us what the EDPB considers to be a "good" DPA.

Applying the EDPB's recommendations would significantly increase the level of detail present in most DPAs and impose several additional obligations on processors.

However, a DPA is only valid insofar as it complies with EU law. Therefore, it's in your interests to ensure your DPA is in-line with the EDPB's standards.

Article 28 Requirements

Before we look at what the EPDB recommends for your DPA, let's recap the basic requirements under Article 28 of the GDPR.

Here are the main obligations that a DPA must impose on a processor, set out at Article 28 (3) of the GDPR:

EUR-Lex GDPR Article 28 Section 3

The Article 28 (3) requirements oblige a processor to:

  1. Only process personal data under written instructions from the controller
  2. Ensure anyone with access to the personal data has committed themselves to confidentiality (either explicitly or impliedly under law)
  3. Apply security safeguards to personal data, per Article 32
  4. Only engage additional processors (known as "sub-processors") with the written authorization of the controller
  5. Assist the controller in facilitating data subject rights requests
  6. Assist the controller in complying with the GDPR's security, data breach notification, and data protection impact assessment (DPIA) requirements, per Articles 32 to 36
  7. Delete or return all personal data once the controller no longer engages its services
  8. Demonstrate its GDPR compliance to the controller by providing any necessary information and contributing to audits

Article 28 (3) also states that the processor must immediately inform the controller if it is instructed to process the personal data in an unlawful manner.

There is a further requirement under Article 28 (4) that should be included in a DPA:

EUR-Lex GDPR Article 28 Section 4

Article 28 (4) requires processors to only engage sub-processors under an agreement that imposes equivalent protections as the original DPA. If a processor fails to do this, it will be liable for any GDPR violations caused by the subprocessor.

Overview of EPDB's Opinion

Overview of EPDB's Opinion

In analyzing the Datatilsynet's standard DPA clauses, the EPDB's opinion provides some helpful insights about DPAs, including the following:

  • When the DPA makes reference to a GDPR provision, it should use the GDPR's wording.
  • The EDPB states that the DPA should "stipulate and clarify how the provisions of Article 28(3) and (4) will be fulfilled." This means that your DPA must not only list the Article 28 requirements but also explain what they mean and how the processor will meet them.
  • The DPA should explain what will happen if the processor notifies the controller that it has been instructed to process personal data in an unlawful way.
  • When identifying how the processor will assist the controller with DPIAs, the EDPB recommends detailing the various types of risk to be assessed.
  • The EPDB makes the following recommendations about engaging sub-processors:

    • If the controller has approved specific sub-processors when writing the DPA, these sub-processors should be listed in the DPA itself.
    • Data controllers must be able to exercise choice over the appointment of sub-processors.
    • Although the GDPR doesn't require it, it is a good idea for the DPA to cover what will happen if a subprocessor goes bankrupt while it is in possession of personal data.
    • Although processors are liable for sub-processors' data breaches, the DPA should explain that this does not affect data subjects' rights of action against a controller or a processor.
  • The DPA should clearly define international transfers of personal data and should specify that the controller has the authority to permit or refuse them.
  • The DPA should not only list the data subject rights but also specify the steps that the processor must take to assist the controller in facilitating the data subject rights.
  • The DPA should provide details about how and when the processor should notify the controller of a data breach.
  • The EPDB makes the following recommendations about audits and inspections:

    • Any provisions requiring the processor to submit to an audit or inspection must also apply to sub-processors.
    • If audited by a third party, the processor's or sub-processor's audit report must be made available to the controller for scrutiny. The controller may also require the processor to improve its procedures after reviewing the audit report.
    • The DPA should specify that the controller should have access to facilities and systems used for the processing.
  • If the DPA contains a clause determining the jurisdiction or law governing the agreement, this cannot override or limit the protections provided by the GDPR.

Applying the New Data Processing Agreement Recommendations

Applying the New Data Processing Agreement Recommendations

We're now going to work through the GDPR's DPA requirements, supplemented by some of the recommendations present in the EPDB's opinion. We've provided some examples of DPAs which meet the EPDB's recommendations.

Scope of the DPA and Controller's Rights and Obligations

Most of your DPA will concern the obligations of the processor. But the first part of Article 28 (3) specifies some additional information that your DPA must include regarding the processing itself.

EUR-Lex GDPR Article 28 Section 3: Introduction section

The DPA must specify:

  • The subject matter and duration of the processing
  • The nature and purpose of the processing
  • The type of personal information and categories of data subjects
  • The obligations and rights of the controller

Here's how marketing and analytics company Voluum DSP describes the purposes of its processing in its DPA:

voluum-dsp-dpa-processing-personal-data-clause-provide-services-section

And here's an example from aBitrix24 that lists the categories of personal data processed, subject to its DPA (at page 10 of the PDF):

Bitrix24 DPA: Appendix 1 - Subject Matter and Details of the Data Processing Subject Matter - Data Subjects section

Processing Under Written Instructions

Your DPA must contain a clause requiring that the processor "processes the personal data only on documented instructions from the controller..."

Here's how Chattermill does this:

Chattermill DPA: Instructions for Data Processing clause

Confidentiality

Your DPA should include a clause requiring the processor to ensure that anyone with access to the personal data undertakes a commitment to confidentiality.

Here's how SuperOffice does this:

SuperOffice DPA: Confidentiality clause

SuperOffice goes beyond merely stating that employees are bound by a duty of confidentiality. It explains what employees agree to, and for how long they must adhere to it.

This complies with the EPDB's recommendation that the DPA both identifies and explains the Article 28 obligations.

Security (Article 32 Requirements)

Your DPA must require the processor to comply with Article 32 of the GDPR, which sets out the GDPR's security standards.

Again, you must do more than merely assert that the processor must comply with Article 32. You should explain what steps the processor will take to meet its security obligations.

Here's an example from HubSpot:

HubSpot DPA: Preventing Unauthorized Use clause excerpt

This excerpt from Hubspot's DPA lists some of the technical measures it takes to comply with Article 32, including network security and penetration testing.

Engaging Sub-processors

The DPA must contain a clause requiring the processor only to engage sub-processors subject to the controller's authorization, under an agreement between the processor and its sub-processors that provides at least equivalent protection over the personal data.

The EDPB's updated guidance also recommends including a list of all sub-processors approved by the controller when signing the DPA.

Because the controller has the right to approve further subprocessor appointments, the EDPB also recommends that the DPA contains a requirement on the processor to provide advance notice of any new subprocessors.

Here's an example from TimeTac:

TimeTac DPA: Change of subcontractor permissible clause

Note that in addition to listing the relevant sub-processors, TimeTac agrees to provide advance notice of the engagement of further sub-processors. The controller then has an opportunity to object to the appointment.

The EPDB also makes recommendations about the data processors/subprocessor agreements. For example, the EPDB recommends requiring processors to assign the controller as a third-party beneficiary in the event of the sub-processor's bankruptcy.

Here's how Players 1st does this:

Players First DPA: Data controller as third party beneficiary clause

The EDPB also recommends clarifying that the processor's liability for its sub-processors does not affect data subjects' rights to pursue a complaint or legal claim against the controller or the processor.

Facilitating Data Subject Rights

Your DPA must require the processor to assist the controller in facilitating data subject rights, such as the right to access or delete personal data in the processor's possession.

The EDPB's opinion builds on this requirement, recommending that the DPA describes how the processor will facilitate data subject rights and sets a timescale for the processor to notify the controller if they receive a data subject rights request.

Here's an example from Amiqus that implements some of the new guidance:

Amiqus DPA: Data subject rights clause

Note that Amiqus explains the processor's commitments in practical terms, and also references the relevant provision of the GDPR.

Data Breach Notification, Data Protection Impact Assessments

DPAs must oblige processors to notify controllers in the event of a data breach and assist controllers with carrying out data protection impact assessments (DPIAs).

The EDPB's guidance suggests some ways in which DPAs can add further detail to these requirements.

Here's a section from Headminer's DPA:

Headminer DPA: Annex 4: Data Protection Impact Assessment clause

Rather than making a generic commitment for the processor to assist the controller with any necessary DPIAs, Headminer enumerates four steps that the processor will take to assist the controller with its DPIAs.

Note that Headminer's DPA also refers to the "rights and freedoms of the data subject." This also aligns with the EDPB's recommendations.

Regarding data breach notification, the EPDB recommends using the GDPR's wording: the processor should give notification on "becoming aware" of a data breach (rather than "discovering").

Here's an example from Firefish:

Firefish DPA: Personal Data Breach clause - Investigation and Communication section

Firefish's DPA aligns with the EDPB's guidance in several ways:

  • It sets a timescale for breach notification (24 hours)
  • It describes the steps that the processor will take upon becoming aware of a breach
  • It describes what the processor will do if the breach is likely to result in a high risk to data subjects' "rights and freedoms"

Destroying or Returning Personal Data

Under Article 28 (3) (g), a DPA must require the processor to delete or return any personal data in its possession once the controller no longer engages its services.

Here's how HubSpot does this:

HubSpot DPA: Deletion or Return of Personal Data clause

The controller can choose whether the processor deletes or returns the personal data in its possession. The EPDB recommends that the controller be permitted to change its preference even after the DPA is agreed upon.

The EPDB also recommends that the DPA contains an annex listing any national or EU laws that require personal data to be retained for a certain period:

"[Optional] The following EU or Member states law applicable to the processor requires storage of the personal data after the termination of the processing services: ................ The processor commits to exclusively process the data for the purposes provided by this law and under the strict applicable conditions."

Audits and Inspections

The processor must submit to audits by the controller or an authorized third party.

The EDPB recommends that the DPA should specify that the controller must have access to the processor's premises and should be allowed to make recommendations in light of the results of the audit.

Here's an example from Gateway API (at page 28 of the PDF):

Gateway API DPA: After audit and inspection results, further measures may be taken for GDPR compliance section

Summary

The EDPB's opinion sheds new light on the GDPR's DPA requirements. You must ensure your DPA meets the requirements under Article 28, and you should also implement the EDPB's recommendations as far as possible.

Your DPA should cover:

  • The details of the data processing and the rights and obligations of the controller
  • The processor's obligations, including:

    • Only processing personal data under the written instructions of the controller
    • Ensuring anyone with access to the personal data has committed to confidentiality
    • Maintaining security standards that comply with Article 32 of the GDPR
    • Only engaging sub-processors subject to:

      • The written authorization of the controller
      • A written agreement with the processor
    • Assisting the controller with data subject rights requests
    • Notifying the controller in the event of a data breach and assisting the controller with data protection impact assessments
    • Destroying or returning personal data once the DPA expires
    • Cooperating with audits
Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.