GDPR Data Processing Agreements

GDPR Data Processing Agreements

Whether you're a data controller, a data processor, or both, it's important to understand data processing agreements and have them in place when need be.

These contracts ensure that all parties involved are properly handling personal data, primarily laying down requirements for data processors to meet before they are trusted with the data provided by the data controller.

If you don't know already, under the GDPR a data controller is essentially the owner of the personal data in question. The data controller likely collected the data and determined how and why it will be processed. Data controllers often utilize data processors to assist them with a variety of tasks.

In order to ensure that the data processor handles the data controller's data properly, a data processing agreement is drawn up.

The GDPR actually requires data controllers to have adequate data processing agreements in place whenever they utilize a data processor, though even before the GDPR these contracts were vital to protecting data controllers and their data subjects.

The GDPR sets some guidelines for what must be included in a data processing agreement, which we will discuss later in this article.

What is a data processing agreement?

What is a data processing agreement?

A data processing agreement (DPA) - also known as a data processing addendum - is a contract between data controllers and data processors or data processors and subprocessors. These agreements are intended to ensure that each entity in the partnership is operating in compliance with the GDPR or other applicable privacy laws in order to protect the interests of both parties.

For example, if you collect personal data from the users on your website, then use a third-party processor to handle some aspect of your business strategy, you would want to know that that data processor is operating within GDPR compliance and doing what they should be doing with the important data of your users.

Should your data processor break compliance, mishandle data, or fall victim to a data breach, a data processing agreement can protect you legally by proving that you did your due diligence to ensure that the company you partnered with was following proper procedures.

Without such a contract, responsibility and blame may fall on your for utilizing a third-party without adequate policies and procedures in place. This could also affect your users who trusted you with their personal information.

Here's an excerpt from Basecamp's DPA, which it notes is a standard DPA.

Basecamp: Intro excerpt of the standard Data Processing Addendum

Data controllers should have a DPA in place with all of the data processors they use. Data processors should also have a data processing agreement with any subprocessors they use.

Essentially, if you share personal data that you have been trusted with with another company, a contract should be drawn up to ensure that everyone is handling that data properly.

Do I need a data processing agreement?

Do I need a data processing agreement?

If you are asking this question, then you probably do.

Essentially, if you share personal information with a data processor in order to carry out a task, you should have an agreement in place with that data processor.

Some large data processors will have contracts that they use with all of their clients that could be adequate for this purpose, but it would be wise to ensure that this contract protects you from your point of view and is not simply for the benefit of the data processor. Doing this could leave you vulnerable in certain situations.

The GDPR sets the groundwork for minimal requirements that should be included in every data processing agreement. These requirements are geared primarily toward ensuring that data subjects are protected by a system of checks and balances between the data controller and data processor, but these guidelines also offer several layers of protection for all parties involved.

While a data processing agreement may seem like it is intended to protect the data controller from legal issues if a data processor mishandles their data, it actually does much more than that.

Like any contract, a data processing agreement seeks to ensure that all parties are acting appropriately and holding up their end of the deal.

While this does reduce the culpability of the data controller in the event that the data processor mishandles data, the contract also requires that the data controller does their due diligence to ensure that the processor they are using is credible and capable.

This prevents data controllers from using a data processor who is fast and loose with the rules, as the contract requires the data processor to meet certain requirements and for the data controller to do their part in ensuring that those requirements are met.

Here's an excerpt from Article 28 that deals with the data processor requirements:

GDPR Article 28: Section 1: Data processor requirements

This balance gives each party some level of accountability for the other short of activity that occurs without the other having any knowledge of it.

While a data processing agreement certainly won't prevent all breaches of compliance by data processors, it sets firm rules for how data should be handled and gives the data controller some responsibility in making sure that those rules are followed.

Data processing agreements for small businesses

Data processing agreements for small businesses

While small business may not need as many or as thorough of data processing agreements, they should still have them if they use third-party services or data processors with whom they share the personal information of their users.

Data processing agreements are meant to protect both your company and its users from mishandling of personal data that could result in damages or lawsuits. A data processing agreement is just as necessary for small businesses as it is for large ones.

Small businesses often use third-parties or data processors to assist in areas that large companies might handle internally, such as payment processing and customer service. If, for example, you run a small website and use a third-party service to process online payments, you will need to have a contract in place to ensure that your payment processor is handling the payment data of residents of the EU in compliance with the GDPR.

If your company is GDPR compliant, any data processors you use should be too, and that includes having a compliant data processing agreement in place.

What should be included in a data processing agreement?

What should be included in a data processing agreement?

Articles 28 through 36 of the GDPR cover the requirements for data processing and data processing agreements. This is quite a large amount of information, but let's break it down into more manageable terms that you can apply to your business.

Your DPA should cover these topics and work to enforce the following standards.

Article 28 lays down the ground rules for processors under the GDPR.

GDPR Article 28: Section 3: data processor

This Article makes it clear that data processors can only process data in the way the data controller has instructed, unless some specific exceptions apply.

Article 29 states that data should only ever be processed by instructions from the data controller. Essentially the data controller is the owner of that data and responsible for it, so no entity should ever process that data unless instructed to do so by the data controller (except in cases where Union or Member State law would require it).

GDPR Article 29: Processing under the authority of the controller or processor

Here's how Basecamp's DPA includes clauses that address this processor/controller relationship:

Basecamp's Data Processing Addendum: Processing of Personal Data clause excerpt

Article 30 dictates that data controllers or their representatives should maintain records of processing activity under their authority. This includes processing done by the data controller's data processor as covered in a data processing agreement.

GDPR Article 30: Section 1: Records of processing activ

Article 30 gives similar requirements for data processors.

GDPR Article 30: Section 2: Records of processing activities

All of these records must be in a written form and made available to a supervisory authority upon request. Organizations of fewer than 250 employees are exempt from these requirements unless they process data regularly, process data that could put data subjects' rights and freedoms at risk, including but not limited to the processing of special categories of data or information regarding criminal histories.

Article 31 states that data controllers and data processors (or their representatives) shall cooperate with supervisory authorities.

GDPR Article 31: Cooperation with the supervisory authority

Article 32 puts forth the security requirements for data controllers and processors in order to protect the rights and security of their data subjects. These security measures are referred to in the GDPR's guidelines for adequate data processing agreements.

GDPR Article 32: Section 1: Security of processing

Here's a clause from the Basecamp DPA that discusses security measures:

Basecamp's Data Processing Addendum: Security clause

Article 33 and Article 34 cover the proper procedures for notifying the supervisory authority as well as the data subjects of security breaches involving personal data. This includes the data controller notifying the proper authority as well as the data processor notifying their data controller as described in the GDPR's guidelines for adequate processing agreements.

Here's the Basecamp clause that discusses this:

Basecamp's Data Processing Addendum: Customer Data Incident Management and Notification clause

Article 35 explains data protection impact assessments including when and how they should be performed. It also mentions how data controllers and data processors should take into account the other's compliance with contractual agreements (such as data processing agreements) when performing data protection impact assessments.

This is part of the "due diligence" referred to in the GDPR's data processing agreement requirements, putting some responsibility on data controllers to ensure that the data processors they are using are credible and compliant with the GDPR.

GDPR Info Article 35: Section 8 - Data Protection Impact Assessment

Article 36 covers situations where a data protection impact assessment shows high risk and lays out the procedure for data controllers, data processors, and supervisory authorities to communicate and gives timelines for when supervisory authorities should provide the data controller and/or processor with consultation on how to improve the situation so that data processing can commence safely.

Here's the related clause from Basecamp:

Basecamp's Data Processing Addendum: Data Protection Impact Assessment clause

These articles make up the majority of guidance from the GDPR regarding data processing agreements and the components of those agreements. This can be quite a lot to understand on the first read, so let's review the key points as they apply to you and your GDPR-compliant data processing agreements.

The GDPR requires that the following be included in your data processing agreement:

  • What information is being processed
  • How long that information will be processed
  • Why this information is being processed
  • The rights and responsibilities of the data controller
  • That the data processor should only act according to written instructions from the data controller
  • That data processing is done confidentially
  • That proper security measures are in place during every step of data handling
  • Subprocessors only be used with the data controller's knowledge and consent
  • Data controllers and processors should work together to resolve subject access requests
  • Data controllers and processors should work together to protect the rights and privacy of data subjects
  • Data processors must inform data controllers of data breaches
  • Data processors should assist data controllers in data protection impact assessments where applicable
  • Data processors should erase or return the personal information from the data controller after the contract is complete
  • Both data controllers and processors should be prepared for audits or inspections and assist one another as needed to demonstrate compliance
  • Data processors and controllers should be on the lookout for any practices that break GDPR compliance and notify the other so that corrections can be made
  • The data processor shall have a Data Protection Officer appointed as required by the GDPR
  • The data processor shall keep records of processing activity

It may seem like an overwhelming list at first glance, but many of the items are similar to or work in conjunction with others. Many of the rest are obvious or necessary safeguards to ensure all-around compliance and open communication between parties sharing and handling personal data, and their supervisory authorities.

There are a few other things data controllers will want to ensure they have included in their data processing agreements.

These are:

  • Documented instructions to prove intent
  • Proof that the data controller did their due diligence to determine the capability and commitment of the data processor to handle the project safely and legally (such as data protection impact assessments)
  • Security requirements for data processors
  • Procedures for cooperation and communication between the data controller and data processor
  • Procedures in place in case of data breaches or investigations
  • Procedures for the returning or erasing of data at the end of the contract

By providing these clauses within the agreement, the data controller limits their culpability by providing the data processor with everything they should need to conduct their duties properly.

By giving instructions, laying out procedures, and enforcing requirements for safe and lawful data processing, the data controller is not only protecting themself, but ensuring that the data processor is acting within the constraints of the GDPR for the protection of their data subjects.

Conclusion

The GDPR requires data processing agreements between data controllers and data processors and also has requirements for what must be included in those agreements.

These agreements are not just a legal burden imposed by the GDPR, but a necessary contract to protect each party as well as the data subjects involved. Depending on how much and to what extent you require data processing, an attorney will likely be needed as these contracts can get quite lengthy what with the the clauses required by the GDPR and those needed by your organization based on their operations.

If you are looking to create or update a data processing agreement, the above information should help you break down the GDPR's requirements into more manageable steps.

Ross B.

Ross B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.