This article is written by Aparna Naraparaju pursuing Diploma in International Data Protection and Privacy Laws. This article discusses the essential clauses in a Data Processing Agreement or DPA.
This article has been published by Sneha Mahawar.
Table of Contents
In this global age, it is often said that data is the new currency. So, today there are thousands of companies that deal and exchange with tons and tons of data and it becomes imperative that adequate security measures are put in place to protect such data at various levels. Data Processing Agreement is one such important step that inter alia looks after data security, data breach and data misuse. In some places of the world like the European Union (EU), it is already mandatory to have a DPA for data controllers and data processors. This shows the sheer importance of DPAs. In this article, we will discuss the essential clauses that a DPA should have.
What is a Data Processing Agreement (DPA)
Data Processing Addendum is a documented agreement between data controller and data processor. It can also be an arrangement between data processor to sub-processor, controller to controller or controller to joint controller. DPA lays down certain guidelines as to who are the data subjects, what type of information is processed, what categories of data are processed, who collects the client’s personal data, how it is treated, where it is stored, how long it is stored, how it can be retrieved, how it can be deleted, how it can be processed, how it is protected, what kind of measures should be taken by the parties in order to prevent data breaches.
Organizations that handle the Personal data of European Union Data subjects will definitely require a DPA in place. Article 28 of the EU GDPR provides guidelines on the clauses to be included in such Agreements. Heavy fines and penalties will be imposed in case of failure to observe these guidelines. DPA can be annexed as an Appendix to the underlying service contract like the SAAS contract etc. The terms of such Agreements should exactly reflect what activities pertain to the services provided. It is a legally binding document and relates to any individual. This document cannot live on its own but refers back to certain underlying agreements. There will be a certain amount of cross-referencing between the DPA and the underlying contract.
Essential clauses in a Data Processing Agreement (DPA)
One essential clause is that DPA should contain definitions of certain important terms to avoid any ambiguities in interpretation. Parties should agree to include the important definitions of Applicable Laws, Client, Client Personal Data, Contractor, EU DataProtection Laws, GDPR, Restricted Transfer, Services, Subprocessor, Controller, Data Subject, Member state, Personal Data, Personal Data Breach, Processing, Processor, Rights of Data subjects, Supervisory Authority.
In this clause, it is laid down who all come under the ambit of the DPA. Such as individuals belonging to European Union whose Personal data was collected can be the data subjects.
Personal Data Breach
Unauthorized use, access to the client personal data, loss of data or unauthorized disclosure or alteration of such data on the systems managed by the processor.
Processing should be regulated by applicable laws like GDPR.
Each party shall strive to comply with their respective obligations under all applicable Data Protection requirements.
Effective Date and termination date
Effective date of the DPA and the DPA end date has to be provided in this clause. It could be any date post May 25, 2018.
Processing of Client Personal Data
Any operations performed upon personal data are called processing. What actually is the processing activity performed by the processor needs to be clearly provided. That is whether the processing involves collection of data, recording, organization, structuring, storage of data, adaptation, retrieval, big data analysis, consultation, disclosure of data, making available certain data, alignment, combination, matching, restriction of use or access, profiling ofIndividuals, erasure or destruction, media handling, use of data etc.
Roles and responsibilities of a controller
Controller is the entity which determines the means and purposes of processing. Controller has certain specific set of R&R as per GDPR.
- Controller is the entity which receives the data,
- Controller determines the legal basis for collection of data
- Controller obtains the data with the consent of data subject
- Controller determines what when and how much time the data shall be retained,
- Controller implements Organizational & Technical measures for safeguarding Client Personal data
- Controller determines policies and Procedures to process data
- Controller determines mechanisms to put in place mechanisms to enable data subjects exercise rights
- Controller determines how long to keep the data
- Controller to acquire valid consent, explicit consent from data subject for data processing.
- Controllers collect minimum data required for processing and they shall not collect or store unnecessary data.
Controller is to determine the purposes and general means of processor’s processing of client personal data in accordance with the Agreement and comply with its obligations as per the data protection requirements for data controllers.
Roles and responsibilities of a processor
- Processor is the entity that processes personal data under the instructions of the Controller. Processor processes the personal data on behalf of Data Controller. We need to include few or all of the roles as follows:
- Data Processor carries processing under a contract.
- Processor carries processing on behalf of the Controller
- Processor carries processing under documented instructions.
- Follow organisational and technical measures while processing client Personal Data.
- People in that project follow confidentiality measures
- Processor would assist controller during investigations
- Processor to provide description of personal data breach in case if breach occurs.
- Data Processor to comply with Applicable Laws
Client PersonalData shall be processed in accordance with the MSA and solely for the purposes as stated in the MSA and this Addendum. Processor shall take appropriate Technical and Organizational measures in order to prevent data breaches. Only the personnel working in this project shall have access to the client personal data and such personnel shall sign Non Disclosure Agreements with the Processor. Processor shall cooperate reasonably in order for the controller to comply with its obligations under Article 32 of GDPR and during any data breach investigations. Processor shall notify the controller about any data breaches within 2 days of happening of such events.
Organization and security measures (O&Ms)
We need to provide the list of O&Ms the Processor shall implement in relation to the Client Personal data
- Is the Processor responsible or Vulnerability testing o Customer Internal Systems.
- Does the Processor provide SOC (Security operations centre)
- Does the Processor deploy and configure Data Loss Prevention Solution
- Does the Processor manage encryption at rest on client devices
- Does the Processor deploy and monitor Anti Virus solutions
- Are data bases encrypted
Subprocessors can only be hired by a processor based on the notification and approval given by the Controller. We need to mention the list of subprocessors, if any. In case of any objection, controller has to object within agreed timelines.
Engagement of any 3rd Parties as Subprocessors shall be authorized by Data Controller. Legally binding contract terms which are restrictive in nature shall be imposed on the subprocessors. Client Personal Data shall be accessed by the Subprocessor only to the extent required to perform the obligations under this Agreement. List of Subprocessors shall be annexed to this Agreement as Exhibit C and any changes in the list shall be notified to the Data Controller before 2 Months. Data Controller reserves the right to object the addition or deletion o subcontractors.
Data transfer means if processing involves transferring of Client Personal Data from Controller to Processor in a third country other than European Economic Area, UK, Switzerland or a country subject to an adequacy decision made by the EU. In case of any such transfer, parties are to draft certain Standard Contractual Clauses (SCCs).
The Procesor shall not transfer Client Personal Data to countries in a jurisdiction outside EEA or UK without prior written consent of the Controller. Parties shall rely on EU-approved Standard Contractual Clauses (SCCs) for the transfer of Client Personal Data from a country in European Economic Area to a country outside European Economic Area.
Deletion and return of data
Like in any other agreement, it is a pretty standard clause stating post completion of the underlying contract, data should either be returned or deleted or destroyed etc.; who bares the costs of such an obligation, whether they have policies in place in their security documentation etc. should be incorporated in the DPA.
Processor shall, upon the completion of the obligations as per the underlying Master Services Agreement dated January 25, 2022 shall:
- Return the client personal data which is in the processor’s possession to data controller.
- Anonymize the client personal data so that it no longer constitutes Personal Data.
- Make the client personal data unreadable or delete it permanently.
- Processor must provide written confirmation of anonymization, return or deletion of client personal data upon request by data controller.
Audit clause is to be incorporated in order to check Whether the Organizational and Security measures are properly implemented or not. This can be done by including certain processes like Data Protection Impact Assessments (DPIA).
When a company handles client personal data, it is an essential requirement to have a Data Protection Addendum in place which helps the parties to comply with the data protection regulations of various geographies. These arrangements will prevent and protect the parties from any untoward incidents to happen. Enormous rights were given to the data subjects, like the right to access, data, modify data, recall data etc. in order to safeguard their personal data. They include the right to seek judicial remedies, claim compensation for material and non-material damages etc. Supervisory authority can impose fines for negligence and the intention to support data subjects will be checked. Companies can protect themselves and their customers from data mishaps when there are certain clear-cut stipulations between parties in terms of how the data needs to be governed.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: