This article is written by Arun Nair who is pursuing a Diploma in Advanced Contract Drafting, Negotiation and Dispute Resolution from Lawsikho.
The entry of the European Union’s – General Data Protection Regulation (GDPR) forced every company or person who processes the personal data of the citizens of the EU to comply with it. One key element of the regulation is the requirement for data controllers to enter into an agreement (DPA) with the data processors for the protection of the rights of the individual whose personal data is processed in line with the requirement of the legislation. This article tries to explain the purpose of a DPA, when it is needed, and what are the essential clauses to be included in it.
General Data Protection Regulation (2016)
The General Data Protection Regulation (GDPR) lays down rules relating to the protection of citizens of the European Economic Area with regards to the processing of their personal data by companies for commercial activities. It aims at protecting the fundamental rights and freedom of a person by protecting their personal data. It is regarded as the benchmark law for the protection of privacy which was adopted in the year 2016 and fully implementable by 2018 and now recognised as law across the European Union.
Article 4(1) of the General Data Protection Regulation defines “personal data as any information relating to an identified or identifiable natural person, one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.” (EU n.d.)
In other words, it is any data that can lead to the identification of a specific person. It can be as obviously identifiable data as name and surname, but it can also be a combination of data such as age, job, company, location, ID number etc. as when combined can allow for identification of a person. (GDPR 4 n.d.).
Additionally, there are certain personal data that reveals an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, criminal offences, data about sex life or sexual orientation, which fall under special categories of personal data.
Examples of data that are not considered as personal data are; a company registration number, company contact email address etc.
As per Article 4(7) of GDPR, controllers are “any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes, and means of the processing of personal data.”
Processing of personal data means “any operations or set of operations on personal data or set of personal data, whether or not by automated means. These operations may include collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.”
Article 4(8) of GDPR defines a processor as “any natural person or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
- Further, Art.(28)(1) states that, if a ‘data controller’ engages a ‘data processor’ for processing personal data, the controller shall ensure that the processor enact appropriate technical and organizational measures in such a manner that it meets the requirements of the legislation and safeguards the rights of data subjects.
- No processor can engage the services of another processor without the specific written approval of the data controller and such processor shall state to the controller, all intended changes that may occur with the inclusion or substitution of other processors.
- Data Processing Agreements are binding on the Data Processors and sets out the subject matter, duration, purpose and nature, type of data and rights and obligation of the data controllers under the contract.
- The contract or other legal act further stipulates in particular that the processor:
- Shall process data only on instruction of the controller including transfers to third country or an international organization;
- Shall ensure confidentiality of the personal data;
- Shall ensure safety and security of the personal data;
- Shall agree to conditions for engaging another processor;
- Shall assist in audits conducted by the controller and also in ensuring compliance to controller’s obligation to respond to data subjects who exercise their rights provided under the GDPR;
- Shall at the instruction of controller, delete, return all the personal data once services are over;
- “If ‘other’ processor’s who have been engaged by the ‘initial’ processor to fulfil specific processing activities under a contract or legal act, fails to attain its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that ‘other’ processors obligations.”
- “If a processor infringes the regulation by determining the ‘purpose’ and ‘means’ of processing the personal data then the processor shall be treated as a controller in respect of that processing and dealt with accordingly.”
Data Processing Agreement
A data processing agreement or a DPA is a binding legal contract between the data controllers and data processors, laying down the scope, purpose, and relationship between both these parties.
A DPA is mandatorily signed whenever a data controller outsources processing activities to a third-party, and in line with the outsourcing, decides to transfer personal data to the third-party. These are also signed between the processors and their sub-processors
DPA’s dictates and regulates the specifics of data processing arrangements between the controllers and the processors. It can be either in writing or in electronic form.
What constitutes a DPA?
The DPA which becomes the part of the principal agreement between the companies and the customers includes ‘model clauses’ which are approved by the European Union Data Protection Authorities known as the Article 29 Working Party. This is the independent European advisory body that deals with issues relating to personal data and privacy protection.
With DPA terms included in the online service terms, there are no extra agreements required between the customers and partners of the controller to be GDPR requirement compliant for data processing.
Some of the important clauses to be considered in a Data Processing Agreement are as follows:
Processing of Personal Data
The clause states that processors should comply with all applicable Data Protection Laws in the Processing of the Controllers Personal Data and not Process Company Personal Data other than the ones instructed by the Controller. The clause could be drafted as such:
“The Parties agree that the Processor shall process personal data only in accordance with the written instructions of the Controller. Additional instructions outside the scope of the written instructions required written agreement between the Parties. Controller is entitled to terminate the Agreement if Processor declines to follow the instructions requested by the Controller under this DPA.”
Parties must keep the agreement and the information received, in connection with this agreement, confidential, and must not disclose that information without the prior written consent of the other Party except when such disclosure is required by law and if the information is already in the public domain.
All such individuals shall be subject to confidentiality undertakings. Processor shall take reasonable steps to ensure the reliability of all employees, trainees, contractors of the Processor who may have access to the controller’s personal data and ensure that access is strictly limited for the purposes of the Principal Agreement, and to comply with Applicable Laws.
“The Processor will not access or use, or disclose to any third party any personal data, except, as necessary to comply with the law or a valid binding order of the governmental body. If the governmental body sends the Processor a demand for personal data, the Processor shall attempt to redirect the governmental body to request data directly from the Controller. To achieve this the Processor may provide the Controllers basic contact information to the governmental body. Further, the Processor restrict its personnel from processing personal data without prior approval from the Controller and imposes contractual obligation upon its personnel regarding confidentiality, data protection and data security.”
Considering the cost of implementation and the nature, scope, purposes, and risk associated with processing the personal data, processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. A security clause can be drafted as such.
“The processor shall implement and will maintain adequate technical and organizational measures in compliance with the provisions of the GDPR in relation to the personal data. Such technical and organizational measures include pseudonymisation, encryption, backup and archiving for restoration, and regular testing, assessing and evaluation of the effectiveness of the technical and organizational measures implemented by the Processor by the Controller. The processor shall notify the controller of a security incident without any undue delay after becoming aware of the security incident and take reasonable steps to mitigate the effects and minimise any damage.”
Processor shall not appoint (or disclose any Personal Data to) any Sub-processor without the authorization of the Data Controller.
“The controller agrees that the processor may use sub-processors to fulfil its contractual obligations under this DPA or to provide certain support services on its behalf. The processor shall inform and give notice to the controller at least 30 days before the processor engages the sub-processor. The processor shall restrict the sub-processors access to personal data only to what is necessary to maintain service and prohibit for any other purpose; enter into a written agreement with the sub-processor and impose on the sub-processor the same contractual obligation that the processor has under its DPA; the processor shall remain responsible for its compliance of this DPA and for any acts or omissions of the sub-processors that cause the processor to breach any of the processors obligations.”
Rights of Data Subjects
Considering the nature of the Processing, Processor’s shall assist the Controller by implementing technical and organisational measures, as far as possible, for fulfilling the obligation of the controller, to respond to the requests raised by the data subjects.
“The processor offers, the controller, to comply with its obligation towards its data subjects. Should a data subject contact the controller with regard to correction or deletion of rectification or erasure of its personal data, the processor shall use commercially reasonable efforts to fulfil such requests or forward such requests to the controller.”
Data Protection Impact Assessment and Prior Consultation
The processor shall assist the Controller in providing with (DPIA) data protection impact assessment and prior consultations with competent authorities, as required under GDPR or equivalent provisions of any other Law.
“The processor agrees to assist the controller in complying with the controllers’ obligation in respect of data protection impact assessments and prior consultation pursuant to the provisions of the GDPR.”
Erasure or return of Personal Data
Subject to this provision processor shall promptly from the date of cessation of service agreement involving the processing of personal data delete and procure the deletion of all copies.
“The controller has control to retrieve or delete the personal data from the possession of the processor. Following the termination of the agreement, the processor consents to delete and/or return any personal data, held in its possession for the rendering of services in accordance with this agreement, as requested by the controller.”
Processor is required to make available to the Controller all information necessary to prove compliance and shall allow and contribute to audits, including inspections, by an auditor in relation to the processing of the personal data by it.
“The controller agrees to exercise any right it may have to conduct an audit or inspection of the processor. In the event, the processor declines to follow any instruction requested by the controller regarding audits and inspection, the controller is entitled to terminate this DPA and the agreement.”
Processors shall not transfer or authorize the transfer of Personal Data to third countries (outside EU and/or the European Economic Area) without the prior written consent of the Controller. Parties will have to ensure that the personal data if transferred to a third country or international organization, are adequately protected.
“The processor shall not transfer personal data from the controller’s selected region except as necessary to provide service or as necessary to comply with the law or binding order of a governmental body. Further, the processor shall clearly specify to, and take consent of, the controller before the transfer of personal data to a new location.”
Why are DPA’s important?
GDPR demands that everyone, who processes personal data, for any purpose, using any means, must provide adequate safeguards and security in accordance with the provision of GDPR.
Data Controllers who offshore data processing activities to processors and sub-processors must demonstrate that their sub-processors also provide the same level of protection and safeguards and act in compliance with GDPR.
How do Processors demonstrate sufficient guarantees?
Adherence to an Approved Code of Conduct (Art. 40)
The EU member states, supervisory authority, the Board and the Commission can draw up such codes of conduct. Associations and other bodies representing controllers and processors may also come up with their own set of codes of conduct, as per specific needs.
Certification Mechanism (Art. 42)
Member states can encourage data protection certification mechanisms, data protection seals, marks for to show adherence to the GDPR by the controllers and processors and also to signal existing safeguards. Such certificates shall be issued by competent certification bodies having expertise in relation to data protection.
Standard Contractual Clauses (SCC’s)
The commission may suggest standard clauses w.r.t providing sufficient guarantees for implementing technical and organizational measures etc. which can thereafter be adopted by the Supervisory Authority in accordance with the consistency mechanism (Art. 63) and in turn be incorporated in the contracts between controllers and processors.
Prior Consultation (Art. 36) & Data Protection Impact Assessment (Art. 35)
Controllers (& Processors) shall consult the supervisory authority where a type of processing, using new technology and taking into account the scope and purpose of the processing indicates a high risk of infringement to the rights and freedom of the personal data of the people, in the absence of appropriate safeguard measures taken; the controllers and processors will be liable to undertake a Data Impact Assessment and seek the advice of the data protection officer.
Security Measures (Art. 32)
Considering the costs of implementation, scope, varying risks and severity to the privacy like accidental or unlawful destruction, loss, alteration, disclosure or access to personal data, the controller and processor should implement appropriate technical and organizational safeguard measures like
(i) pseudonymisation & encryption,
(ii) ensure confidentiality, integrity, availability of systems and services,
(iii) restore systems and services in case of an adverse physical or technical events,
(iv) regular assessment and evaluation of the effectiveness of the security measure through testing.
Consequences of Infringement to the Regulations
Right to Compensation and Liability (Art.82)
Any person who suffers a material or non-material loss due to infringement of GDPR regulations will receive compensation from the controller and processor for the damage suffered.
Member states lay down the rules on other penalties for infringements that are not subject to administrative fines and takes all measures necessary to ensure that they are implemented. Such penalties are effective, proportionate, and dissuasive.
Imposing Administrative Fines (Art.83)
Supervisory Authorities are responsible for the imposition of administrative fines in case of infringements. Administrative fines shall be imposed depending on the circumstance of each case like
(i) nature, gravity and duration of the infringement,
(ii) whether intentional or negligible character,
(iii) steps taken by the processor to mitigate the damage suffered by data subjects,
(iv) previous records of the processors,
(vi) degree of cooperation with authorities,
(vii) adherence to codes of conduct
Thus, when a controller engages a processor, they must carry out prior due diligence, put in place a GDPR compliant DPA and throughout the relationship they must continue to carry out ongoing checks on the processor for use of their personal data to check they are complying with the instructions.
The controller must use only those processors that provide sufficient guarantees to implement appropriate measures in compliance to GDPR provisions.
These DPA can be in the form of an appendix, addendum, clause, or a standalone agreement. There can be additional commercial terms but should not undermine the DPA.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: