This article is written by Rebecca Navgire, pursuing Diploma in Advanced Contract Drafting, Negotiation, and Dispute Resolution from LawSikho.
The right to privacy is part of the 1950 European Convention on Human Rights, which states, “Everyone has the right to respect for his private and family life, his home and his correspondence.” From this basis, the European Union has sought to ensure the protection of this right through legislation.
The General Data Protection Regulation (GDPR), implemented on May 25, 2018 by the European Union (EU), has virtually impacted every business that deals with the personal information of EU citizens. This legislation mandates that every EU member, as well as any other country that processes the personal data of EU citizens, must take serious measures to protect such data. In order to comply with the GDPR, data controllers and data processors are required to sign a data processing agreement (DPA).
In this article, we shall try and demystify the contract requirements for data transfers to a processor.
What is the GDPR?
Amidst unintended breaches of personal data and cloud services being entrusted with massive amounts of data, the EU stands up for data privacy and security with the GDPR.
The GDPR is a stringent privacy and security law, spanning over hundreds of pages that set out several new requirements pertaining to the data protection of EU citizens dealt with by organizations around the world. It is a piece of legislation drafted and passed by the EU but applies to any organization that targets or collects data related to people in the EU.
History of GDPR
With the invention of the internet and the immense progress made in technology, the EU recognized the need for modern protections. Ultimately, the European Data Protection Directive was passed in 1995. It established minimum standards of data privacy and security, upon which each member state based its own implementing legislation. Following that, the data protection authority of Europe declared that the EU needed “a comprehensive approach to data protection” and began work on updating the 1995 directive.
The GDPR entered into force in 2016 after being approved by the EU Parliament, and all organizations were required to comply as of May 25, 2018.
Key definitions of GDPR
In the GDPR, a variety of legal terms are defined in great detail. Below are a few of the most important ones that are referred to in this article:
Data protection principles
One must adhere to the seven protection and accountability principles outlined in Article 5.1-2 while processing personal data:
Scope and penalties
Huge GDPR fines await those who do not comply!
The regulation applies to anyone who processes personal data of EU citizens or residents, or who offers goods or services to such people, even if they are not part of the EU. Further, large fines for any violations, capped at €20 million or 4% of global revenue (whichever is higher) are imposed under the GDPR, along with a right to seek compensation for damages for the data subjects.
There are, however, two tiers of fines, depending on the severity and type of offence. According to the guidelines, for violations of GDPR related to data processors, fines can amount to as much as €10 million or 2% of global revenues.
Whatever the case, signing a DPA and adhering to its terms is much better than paying a GDPR fine.
The supplemental principle 10 (obligatory contracts for onward transfers)
Data processing contracts
- A contract is required to transfer personal data from the EU to the United States of America for processing purposes only, irrespective of the processor’s participation in the Privacy Shield.
- Whether the processing operation is conducted inside or outside the EU, and whether or not the processor is a Privacy Shield participant, data controllers in the EU are always required to enter into a contract if a transfer is for processing purposes only.
The purpose of the contract is to ensure that the data processor:
- Follows the data controller’s instructions only;
- Protects personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access through appropriate technical or organizational measures, and determines whether onward transfer of such data is permitted; and
- Assists the data controller in responding to individuals exercising their right of access to personal data, depending on the nature of the processing.
3. As Privacy Shield participants provide adequate protection, contracts with Privacy Shield participants do not need prior authorization (as such authorization will be automatically granted by the EU Member States), as is required for contracts with recipients who are not Privacy Shield participants.
Transfers within a controlled group of corporations or entities
- When personal data is transferred between two data controllers within a controlled group of corporations or entities, the accountability for onward transfer principle does not always require a contract.
- For controlled groups of corporations or entities, data controllers may be able to transfer data in accordance with other instruments, such as EU Binding Corporate Rules or other intra-group instruments, if they wish to maintain the continuity of protection for personal data under the principles. The Privacy Shield ensures that the principles are followed during such transfers.
Transfers between controllers
- The recipient or their recourse mechanism needs to be covered by the Privacy Shield if data is transferred between data controllers.
- It is imperative that the Privacy Shield organization has a contract with the recipient third-party data controller that provides the same level of protection under the Privacy Shield. Nevertheless, the third party data controller does not have to be a Privacy Shield organization or have an independent resource mechanism, so long as equivalent mechanisms exist.
Why is a DPA required?
Nowadays, businesses rely on the services of third parties for processing personal data. It could be an email client, a cloud storage service, or website analytics software.
As per the European data protection law, personal data of the citizens of the EU can be processed by another party outside of the EU provided that they sign a legal agreement, such as a DPA that shall govern this processing.
A DPA is a legal binding contract between the data controller and data processor either in writing or in electronic form, intended to regulate the terms and conditions under which the personal data of EU citizens may be processed. It lists out the rights and obligations of each party concerning the protection of personal data.
The GDPR may be cumbersome, but it is one of the most fundamental steps of compliance, and necessary to avoid GDPR fines.
Let’s say an IT outsourcing company ABC Ltd. has been assigned by a customer in the EU to develop a database management system for a healthcare facility. Obviously, this will involve the need to access patient personal and sensitive information. Regardless of the fact that it will not be stored on any device, it falls under “personal data processing.” As a result, terms of protection, processing, storing and using this data must be agreed upon. And the DPA basically stipulates the terms of cooperation.
Or, in case an organization is a data controller and wishes to transfer data to a third party, for example, a cloud provider, as part of outsourcing, a DPA contract must be signed.
The DPA basics
To comply with the GDPR, data controllers must ensure the protection of the personal data they handle. When handling data, data controllers may choose to outsource certain tasks to suppliers and sub-processors, but they must demonstrate that they also provide sufficient guarantees to ensure the data is protected and used in accordance with the GDPR.
In fact, even if a processor decides to outsource their tasks they must sign a DPA and ensure that the sub-processor complies with the requirements of the GDPR.
The relationship between controller and processor, and their shared obligations
Under the GDPR, it is a shared responsibility of data controllers and data processors to comply with the regulations. Also, the data processors now have directly enforceable obligations.
As per Article 28(3), processing by a data processor shall be governed by a contract or other legal act under Union or Member State law,
- That is binding on the data processor with regard to the data controller; and
- That sets out;
- Subject-matter and duration of the processing,
- Nature and purpose of processing,
- Type of personal data and categories of data subjects,
- Obligations and rights of the data controller.
Without clear instructions, data processors cannot process personal data on behalf of a data controller.
The data controllers are responsible for ensuring that data processors are able to guarantee safe processing, as the data processors are required to be GDPR compliant.
There are several ways in which data processors must assist a data controller, including handling requests from data subjects and performing data protection impact assessments. Also, the data processors cannot hire a sub-processor without the data controller’s consent.
Both the data controllers and processors must maintain records of their processing activities and cooperate with supervisory authorities when requested.
As per the GDPR, even if a data breach occurs on the side of the data processor, the data controller may be held liable. The data processor must therefore be able to provide adequate security to all the data transferred to them by the data controller.
Contents of Data Processing Agreement
A DPA is essential to ensure the privacy of data subjects’ personal data. We will look at what a DPA is, what it needs to include, and a few examples of DPA clauses.
Having a DPA in place is in your best interest if you are a business owner subject to the GDPR. It not only helps you comply with GDPR but assures that the data processor you are using is qualified and capable.
Generally, a DPA covers:
- Scope and purpose of data processing;
- What data is processed and how it shall be protected;
- The relationship between the data controller and data processor.
The controller must be very clear from the outset regarding the extent of the processing being contracted out.
In accordance with the European Data Protection Board (EDPB) Guidelines, entities must analyze their relationships systematically and thoughtfully, and not rely on boilerplate DPAs.
Article 28(3) of the EDPB Guidelines sets out the following specific terms or clauses that must be included in the contract:
Processing only on the documented instructions of the controller
The data processor must only process personal data in accordance with the data controller’s instructions (including when transferring data internationally) unless it is required to do otherwise by UK law.
Instructions can be documented in any written format, including email. There must be a way to save the instruction so that there is a record of it.
Duty of confidence
The contract must state that the data processor will obtain a confidentiality commitment from anyone it authorizes to handle the personal data unless that person is already under such a duty by law.
As part of the contract, the data processor’s employees and any temporary workers or agency workers with access to personal data should be covered.
Appropriate security measures
The data processor must take all security measures necessary to meet the requirements of Article 32 for the security of data processing. In accordance with Article 32, both data controllers and data processors are required to put in place appropriate technical and organisational measures to ensure the security of personal data they process, including, as appropriate:
- Encryption and pseudonymisation;
- Ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- Ability to restore access to personal data in case of an incident; and
- Processes for the regular testing and assessing of the effectiveness of measures.
The contract must state that:
- Unless specifically or generally authorized, the data processor shall not engage another data processor (a sub-processor);
- When a sub-processor is employed under the data controller’s general written authorization, the data processor should inform the data controller of any changes planned and give the data controller a chance to object;
- A processor who employs a sub-processor must have a contract in place requiring it to comply with Article 28(3) of the GDPR. The sub-processor should provide sufficient guarantees to implement the appropriate technical and organizational measures in a way that meets the UK GDPR’s requirements. These obligations do not need to exactly mirror those set out in the contract between the data controller and the data processor, but should provide an equivalent level of protection for the personal data; and
- The data processor is responsible for ensuring that its sub-processors comply with its data protection obligations.
Data subjects’ rights
The contract must require the data processor to take “appropriate technical and organisational measures” to assist the data controller in responding to requests from individuals to exercise their rights.
Assisting the controller
The contract must specify that the data processor shall assist the data controller in complying with its obligations, taking into account the nature of the processing and the available information:
- Keep personal data secure;
- Notify personal data breaches to the ICO;
- Notify personal data breaches to data subjects;
- Carry out data protection impact assessments (DPIAs) when required; and
- Consult ICO where a DPIA indicates there is a high risk that cannot be mitigated.
The contract must state that at the end of the contract the data processor must:
- Delete or return to the data controller all the personal data it has been processing for it, at the data controller’s choice; and
- Delete all existing copies of the personal data unless UK law requires it to be stored.
Audits and inspections
The contract must require:
- The data processor to provide the data controller with all the information that is needed to show that the obligations of Article 28 have been met; and
- The data processor to allow for, and contribute to, audits and inspections carried out by the data controller, or by an auditor appointed by the data controller.
Analysing the requirement for transfers between controllers
The following things should be taken into account before signing a DPA:
An important element of a DPA is whether the data processors provide adequate guarantees for the protection of the data. In accordance with the GDPR, a controller can be held liable for a breach of data, even if it originated with the data processor. As a result, it is in the interest of both parties to ensure that the data processor has enough bandwidth to protect all the data transferred from the controller to that processor. Moreover, the data processors should take appropriate measures to minimize the effect of a data breach and notify the data controller promptly of that breach.
To ensure compliance with your original legal basis for processing, the data controller needs to oversee the data processor’s DPA. Data processors should not be able to process personal data for any other purpose than what has been outlined in the DPA. The data controller shall check how the data processor will handle the data they transfer.
A DPA should be clear and specific. For example, if the controller is going to audit the processor, all the details of the procedure must be specified. By doing this, it will be easier to ensure that data processors and contractors are clear about expectations and that the contract does not contain any weak points.
Sample data processing agreement
Data Processing Agreement
This Data Processing Agreement (“Agreement“) made on _____ between _____________________ (the “Company/ Data Controller”) and _____________________ (the “Data Processor”) specifies the parties’ data protection obligations, which arise from the Data Processor’s processing of personal data on behalf of the Data Controller under the Contract for Services (“Principal Agreement“).
IT IS AGREED AS FOLLOWS:
- Definitions and Interpretation
- Processing of Personal Data
2.1 Process personal data in accordance with this agreement and comply with all applicable Data Protection Laws; and
2.2 Process personal data solely to carry out the obligations under the agreement.
2.3 Not process personal data other than as authorized by the company.
The Data Processor shall
3.1 Ensures that any Data Processor personnel who have access to personal data have committed themselves to the obligation of confidentiality outlined in the agreement or are under a statutory obligation of confidentiality.
3.2. Ensure that all Data Processor personnel who must access personal data are fully informed about the sensitive nature of such data and the security procedures to be followed.
4.1 Throughout the term of the DPA, the Data Processor shall implement and maintain and shall procure its Sub-processors to implement and maintain, the appropriate technical and organizational security measures to protect personal data against accidental or unauthorized access or unlawful destruction, loss, damage or alteration and against unauthorized disclosure, abuse or other processing in violation of the requirements, as appropriate, the measures referred to in Article 32(1) of the GDPR.
5.1 Sub-processors shall not be appointed (or disclosing any personal data to) by the Data Processor unless authorized or required by the company.
- Data Subject Rights
6.1 The Data Processor must cooperate fully and assist the Data Controller as much as is reasonably possible so that the Data Controller may respond to data subjects’ rights requests for the exercising of their rights
6.2 Data Processor shall
(i) Notify the Data Controller immediately of any request for the exercise of rights received from data subjects.
(ii) Provide the Data Controller with all the technical and organisational measures necessary to respond to the data subjects’ requests.
(3) While the Data Controller is responsible for responding to the data subjects’ requests, the Data Processor can accept responsibilities for completing a few specific requests, provided that such tasks do not require disproportionate effort from the Data Processor and that the Data Controllers provide written instructions in writing.
- Data Protection Impact Assessment
Data Processor shall assist the company with any data protection impact assessments, and consult with Supervising Authorities or other competent data privacy authorities, required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in relation to the processing of personal data taking into account the nature of the processing and information available to the contracted processors.
- Deletion or return of Personal Data
8.1. Upon expiration or termination of the agreement, the Data Processor shall (at the Data Controller’s choice) destroy or return to the Data Controller all data under its control. After 90 days, the Data Processor may delete the personal data from all locations at the Data Controller’s request if the Data Controller has not been given either option. In the event the Data Processor is required to retain any or all of the Data by applicable law, this requirement shall not apply.
8.2. At the Data Controller’s request, the Data Processor shall certify in writing the destruction of the personal data.
- Audit rights
Data Processor shall provide the company with all information necessary to demonstrate compliance with this agreement on request, and allow for and contribute to audits and inspections, by the company or an auditor appointed by the company in relation to the processing of the personal data by the contracted processors.
- Data Transfer
10.1 The Data Processor shall not transfer or authorize the transfer of personal data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the company. Personal data transferred from an EEA country to a country outside the EEA under this Agreement shall be adequately protected by the parties.
10.2 Unless otherwise agreed, both parties shall rely on EU approved standard contractual clauses for the transfer of such personal data.
- General Terms
11.1 Confidentiality. The parties to this agreement must keep this agreement and all information they receive about the other Party and its business in connection with this agreement confidential (Confidential Information), and must not use or disclose this confidential information without the other party’s prior written consent except to the extent that:
(a) The disclosure is required by law;
(b) The information is already present in the public domain.
11.2 Notices. The parties shall provide written notices and communications under this agreement either personally, by post or by email to the address or email address listed in the heading of this agreement or to such other address as notified by the parties from time to time.
- Governing Law and Jurisdiction
12.1 This Agreement shall be governed by the laws of _______.
12.2 Any dispute arising in connection with this Agreement, which the parties are unable to settle amicably, will be submitted to the exclusive jurisdiction of the courts of __________ with the right of appeal to ________.
IN WITNESS WHEREOF, this Agreement is entered into with effect from the date first set out below.
Schedule 1: Service Description and Pricing
Schedule 2: Data Processing and Security
Data protection is the fair and proper use of information, it’s about treating people fairly and openly, giving them control over their identity and interactions with others, and reaching a balance between their own needs and the needs of society as a whole. Moreover, it involves removing unnecessary barriers to trade and cooperation and is essential for innovation.
Data subjects in the EU have more control over how their data is used than ever before, thanks to the GDPR. Any collection of information about individuals for purposes other than personal, family, or household needs to be GDPR compliant. As most businesses outsource their operations, personal data is increasingly flowing between organisations, resulting in a web of responsibility and authority.
In this article, we have attempted to briefly discuss the contract requirements for data transfers to a processor in light of the DPA.
According to Article 28(3), data controllers, processors, and sub-processors must enter into written contracts, or DPA to share personal data. These agreements detail the roles and responsibilities for the data controllers, processors, and sub-processors and limit the liability.
Essentially, a DPA provides assurance that the processor or sub-processor performs their due diligence to ensure the privacy of personal data. For instance, if a controller and processor enter into a DPA and the processor experiences a breach, then the DPA would potentially limit the controller’s liability for breaches.
No matter whether you are the data controller entering into a DPA with the data processor or a data processor engaging with a sub-processor, ensuring that your DPAs meet these requirements can be a challenge. Hence, besides the template provided above, you may also refer to the model clause examples for international data transfers by clicking on this link.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: