24 July 2020
Complying with the EU General Data Protection Regulation (GDPR) can take a lot of work. You have to make sure that you're processing your users' personal data transparently, storing it securely, and only asking them for the information that you actually need. But that's just part of what's required.
You're also responsible for ensuring that certain companies with whom you share your users' data treat it with the same level of respect as you would.
You must make sure you only pass on your users' data to companies that are GDPR-compliant. And you're legally required to have a contract in place with any data processors - that is, anyone who processes personal data on your behalf.
This is where your Data Processing Agreement comes in. Let's take a look at what you'll need to include in this agreement to make sure it meets the GDPR's requirements.
A Data Processing Agreement is a contract between a data controller and a data processor that covers how to handle the personal data of data subjects. These terms are defined in Article 4 of the GDPR:
An individual could be a data subject, a data controller and a data processor - depending on their relationship to a set of personal data. A company that acts primarily as a data processor will also often be a data controller in some respects.
Let's put this into context. Imagine yourself, an individual (data subject), shopping online at an ecommerce store.
The ecommerce store asks you for your credit card details in order to take a payment. The store is the data controller. It's deciding the purpose (to sell you a product) and means (taking your credit card details) of processing your personal data.
You provide your credit card details via a payment service such as PayPal. Here, PayPal is the data processor. It processes the payment on behalf of the data controller - the ecommerce store.
Some other examples of data processors include companies that offer services in the following areas:
Data controllers must have a Data Processing Agreement in place with any data processors they use. The agreement might be written by the controller or the processor. However, it is binding on both parties.
The GDPR brings new obligations for data processors. As the European Commission puts it, data processors can't "hide behind" their data controllers. But the main obligation to keep personal data safe falls on the data controller.
Recital 74 states that the data controller is liable for any data processing carried out on its behalf. So, it's in a data controller's interest to ensure this processing is done in a safe and legal way.
Under Article 28, a data processor is only permitted to process personal data "on documented instructions from the controller" (unless legally required to do otherwise). A data processor can also hire "subprocessors" to carry out data processing on its behalf, but only with written permission from its data controller. The processor is liable to the data controller for the actions of these subprocessors.
A Data Processing Agreement is a way to meet the requirements placed on both data controllers and processors.
Without a Data Processing Agreement or other written contract in place, it's illegal for a data controller to engage the services of a data processor, or for a data processor to process personal data on a data controller's behalf.
Here is a list of frequently asked questions that you may find useful.
Data controllers are required to have a GDPR Data Processing Agreement (DPA) in place when they use data processors.
This is because data controllers will be sharing legally-protected personal information with data processors during the course of this relationship, and a DPA will help ensure the data processor agrees to handle the data appropriately.
The GDPR requires that the following information be included in your data processing agreement:
Make sure that both parties (you and the data processor) both validly sign the agreement to make it enforceable.
There are certain clauses required in every Data Processing Agreement. We're going to take a look at some examples of these clauses within actual Data Processing Agreements.
Bear in mind that many of these are written by large data processors whose clients or customers are data controllers. This doesn't matter. While the wording will vary, these clauses are mandatory in any Data Processing Agreement, whether written by a data controller or data processor.
The Data Processing Agreement must be explicit about what it is that the data processor will actually be doing. For example, the following aspects of the data processing must be specified:
Many Data Processing Agreements include of this information as a Schedule or Appendix at the end of the agreement.
Here's an example from Dotmailer:
The duration of the agreement is sometimes referred to as its "term." This is not usually given in months or years. Instead, it stipulates the conditions on which the agreement will terminate. It's normal for a contract to include a clause like this. It's required in a Data Processing Agreement to ensure that data processors cannot process the personal data indefinitely.
Here's the relevant part of a Data Processing Agreement from SEMrush:
Here's part of a Data Processing Agreement from Voluum (Codewise) where it sets out the nature and purposes of the processing it will carry out on behalf of data controllers:
The Data Processing Agreement must include details about the categories of personal data and the categories of data subjects. Here's an example from Virtual College:
Here's how Bitrix24 displays the categories of personal data covered by its agreement:
Try to cover as much of the personal data as possible here. Note how Bitrix starts its clause by saying its Customer Personal Data "may" include the types of data listed. This makes it clear that not every type of data on the list will necessarily be processed, but that it may be.
Whilst the focus of the agreement is on the data processor, the obligations of the data controller must also be made clear.
Here's an excerpt from this section of The B2B Marketing Lab's agreement that covers obligations:
"Data exporter" means "data controller" in this particular agreement.
Note that the obligations aren't very specific at all. This clause works more as a general statement that obligates the data controller to follow the agreement and adhere to laws.
Most of the compulsory terms required in a Data Processing Agreement are obligations on the data processor. These are set out across Chapter 4 of the GDPR, with Article 28 being particularly important.
The processor must process personal data "only on documented instructions from the controller." This is the reason for the Data Processing Agreement itself, but it also needs to be explicitly stated within the agreement.
Here's an example from Questback's agreement:
"Customer" means "data controller" in this agreement because Questback is the processor for other companies, and these other companies are Questback's customers and data controllers in the relationship.
The processor must make sure "that persons authorised to process the personal data have committed themselves to confidentiality." Note that this is not the same as a non-disclosure agreement. It's primarily in place to protect the interests of data subjects - not the data processor or controller.
Here's an example of such a clause from SuperOffice:
"MSA" here is an abbreviation for Master Subscription Agreement - SuperOffice's main Terms & Conditions.
The processor must explicitly agree to comply with the obligations in Article 32 of the GDPR. This part of the GDPR is about the security of the data processing. It requires both data processors and data controllers to build certain security measures into their data processing activities.
Different Data Processing Agreements approach this with varying levels of detail. For example, here's just one small part of this section from TimeTac's agreement:
And here's how Sendmate's agreement addresses this obligation:
Note that both clauses mention Article 32 of the GDPR.
The data processor "shall not engage another processor without prior specific or general written authorisation of the controller." Any such subprocessors are bound by the same level of obligations as the main processor under the Data Processing Agreement.
Note that hiring subprocessors is allowed under the general written agreement of the data controller. The Data Processing Agreement is where such written agreement can be set out.
Here's an example from Trustpilot:
There are a few points to note about Trustpilot's subprocessors clause:
A data controller must facilitate its data subjects' rights but it might need the data processor's help with this. This is because some of these rights involve accessing or deleting personal data which might be in the possession of the data processor, or restricting or stopping processing which might be being performed by the data processor.
Here's an example of this clause from Float:
The Data Processing Agreement also presents an opportunity to specify the time period in which a data processor must comply with such a request.
The data controller must carry out a Data Protection Impact Assessment before undertaking any new high-risk data processing project. The processor is obliged to help with this if required.
Here's an example from PayByLink's agreement:
The data controller must report any serious personal data breaches to its Data Protection Authority. The data processor has a part to play here, too. It must "notify the controller without undue delay after becoming aware of a personal data breach."
Here's what Debenhams requires of its data processors in the event of a data breach:
Note that the 72 hour deadline given here might be cutting it a little close. The controller has an obligation to report the breach to its Data Protection Authority within 72 hours. Receiving notification from its data processor towards the end of this period might cause it to miss this deadline.
Under Recital 81, "after the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data."
Here's how HubSpot's agreement complies with this:
The data processor must allow the data controller to conduct audits. These might be conducted by another organization, on the data controller's behalf. The Data Processing Agreement must permit this, but it can also establish the basis on which this may occur.
Here's an example from Capsule, writing as the data processor. It grants the data controller permission to carry out audits - but also sets out the terms of this arrangement.
You can set your own terms here, so long as you do allow audits.
In addition to the mandatory clauses that the GDPR requires, you can also include other terms.
Remember that the Data Processing Agreement is a contract that will govern the way the data controller and data processor do business.
Like with any contract, it's good to set out the definitions of key terms at the start of your Data Processing Agreement. The aim is to keep the number of contractual grey areas to a minimum in the event of a dispute.
Some terms that you'll want to define include:
Here's an excerpt from the definitions section of Inline Manual's Data Processing Agreement:
If you have any proprietary terms or words that you use in a way that isn't generally understood, define them so there aren't any miscommunications or issues with the terms.
Under Article 37, certain organizations need to appoint a Data Protection Officer. Some Data Processing Agreements place a requirement on the data processor to do this.
It might be a good idea to insert this clause into your Data Protection Agreement if, for example, you're asking a data processor to process large amounts of special category data.
Here's the relevant section from Caci's Data Processing Agreement:
The GDPR has some strict rules about transferring personal data outside of the EU. But it is allowed, and will often occur between data controllers and their data processors, or between data processors and their subprocessors.
International data transfers can take place under certain conditions, including where the third country has received an adequacy decision from the European Commission. The United States has not received an adequacy decision - but transfers are allowed where the recipient US company is part of the Privacy Shield Framework.
Here's how Edgecumbe manages international transfers in its Data Processing Agreement. This is addressed to subprocessors, but it could equally be addressed to a data processor.
The GDPR requires a data processor to keep records of its activities. Agreeing to this requirement is implicit in some of the clauses we've looked at above. But many Data Processing Agreements also include this as an explicit requirement on the data processor, together with the terms on which such records must be shared.
Here's an example from Sleeknote:
As with any contract, it's wise to establish the jurisdiction in which disputes about the agreement will be settled (the "governing law"). Although the GDPR applies across EU countries (with some minor variations), the laws governing contracts may be very different in the countries where the data controller and data processor are based.
Here's an example from Planday's Data Processing Agreement:
Wherever data processing is performed by a data processor, it is essential to have a clear Data Processing Agreement in place. Not only is it a legal requirement, but it will also allow you to set the terms on which you do business, and reduce the opportunity for legal disputes.
Your Data Processing Agreement must include:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.