This article has been written by Arun Nair pursuing the Diploma in Advanced Contract Drafting, Negotiation and Dispute Resolution from LawSikho. This article has been edited by Dipshi Swara (Senior Associate, Lawsikho).
Practically most companies today whose business involves working with the data of its customers that was collected online, rely on third parties and outsource their data processing activities to them. These third parties (also called processors) to whom the personal data gets transferred for processing comprise cloud storage service provider’s, analytics provider’s email client service provider’s, cybersecurity, dedicated servers, etc and every company (hereafter referred to as data controller) who rely on such third parties to process their customer’s data are essentially required to enter into a ‘data processing agreement, to be GDPR compliant. Such data processing agreements (DPA) are binding on the data processors and set out the subject matter, duration, purpose, nature, type of data and rights and obligations of the data controllers under the contract. However, it is poignant to note that there can be multiple data processors appointed by the data controller and similarly, a lead data processor can engage multiple processors under it for specific processing of personal data, called sub-processors. Therefore, an agreement is mandatory for governing the data processor and data sub-processor relationship and such an agreement is called a data sub-processing agreement (SPA).
The entry of the European Union’s General Data Protection Regulation (EU GDPR), 2018 requires all companies, who ‘process’ the personal data of the citizens of the European Union and the European Economic Area, to comply with it, in order to avoid huge fines. This article serves as an introduction to data sub processing agreements and the essential elements to be included in them.
Firstly, we will try to understand some basic concepts under the GDPR.
Article 4(2) defines processing as “any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storing, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. ”
- Personal Data
Article 4(1) of the General Data Protection Regulation defines “personal data as any information relating to an identified or identifiable natural person, one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.” (EU n.d.)
The key elements in the definition are:
- any information
- relating to
- an identified or identifiable
- natural person
These elements together form the crux of personal data.
In other words, it is any data that can lead to the identification of a specific person. It can be as obviously identifiable data like name, but it can also be a combination of data such as age, job, company, city, etc. as when combined can allow for identification of a person. (GDPR 4 n.d.)
Examples of Personal Data:
- a name and surname;
- a home address;
- an email address such as [email protected];
- an identification card number;
- location data (for example the location data function on a mobile phone);
- an Internet Protocol (IP) address;
- a cookie ID;
- the advertising identifier of your phone;
- data held by a hospital or doctor, which could be a symbol that uniquely identifies a person. (Europa n.d.)
Examples of Data not considered as Personal Data:
- a company registration number;
- an email address such as [email protected];
- anonymised data.
Examples of special categories of Personal Data:
- racial or ethnic origin;
- political opinions;
- religious beliefs;
- genetic data;
- biometric data;
- health data;
- sex life or sexual orientation;
- criminal offences.
Processing of special categories of personal data shall be prohibited except for in certain situations.
- Data Controller
As per Article 4(7) of GDPR, controllers are “any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes, and means of the processing of personal data.”
- Data Processor
Article 4(8) of GDPR defines a processor as “any natural person or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
- Further, Art.(28)(1) states that, if a ‘data controller’ engages a ‘data processor’ for processing personal data, the Controller shall ensure that the processor enacts appropriate technical and organizational measures in such a manner that it meets the requirements of the legislation and safeguards the rights of data subjects.
- No processor can engage the services of another processor without the specific written approval of the data controller and such processor shall state to the controller, all intended changes that may occur with the inclusion or substitution of other processors.
- Data Processing Agreements are binding on the data processors and set out the subject matter, duration, purpose and nature, type of data and rights and obligations of the data controllers under the contract.
- The contract or other legal act further stipulates in particular that the processor:
- Shall process data only on the instruction of the controller including transfers to a third country or an international organization;
- Shall ensure confidentiality of the personal data;
- Shall ensure safety and security of the personal data;
- Shall agree to conditions for engaging another processor;
- Shall assist in audits conducted by the controller and also in ensuring compliance to the controller’s obligation to respond to data subjects who exercise their rights provided under the GDPR;
- Shall at the instruction of the controller, delete, return all the personal data once services are over.
Shall mean to include any entity engaged by the Processor or any further Sub-Processor to process personal data on behalf and under the authority of the data controller.
- Sub-Processing Agreement
A data sub-processing agreement (SPA) is a binding legal contract between the data processors and its sub-processors, laying down the scope, purpose, and relationship between both these parties.
An SPA is mandatory whenever a data processor engages another processor to fulfil certain specific person data processing activity with the permission of the data controller. These are signed between the processors and their sub-processors.
Essential clauses to be included in a Sub-Processing Agreement (SPA)
For the purposes of compliance with the requirements of the GDPR and to regulate the processing of personal data of the data subjects by the sub-processors the following clauses should be included in the SPA.
Any SPA should first and foremost lay down the obligations of the parties involved in the processing of personal data. The clause should mention the categories of personal data, the nature and purpose and the duration for which it will be processed by the sub-processor. Sample scope of work clause may look like such:
“The Sub-Processor shall process the Personal Data in connection with providing services to the Data Processor. Personal Data shall include IP address, machine names, usernames, location, software, and hardware details. The Sub-Processor shall collect, analyse and store the Personal Data for the specific purposes set forth by the Data Processor under the authority of the Data Controller in this SPA, for the duration of this SPA or until terminated whichever is earlier.”
While entering into an agreement for data processing, the lead or initial processor should ensure that the sub-processor ensures the confidentiality of the personal data shared with it by the data controller and the data processor. Every SPA should ensure a confidentiality clause which states:
“The Sub-Processor shall take utmost care and reasonable steps to ensure that its personnel authorized to process the Personal Data on its behalf are subject to confidentiality obligations with respect to that Personal Data.”
- Safety and Security
All sub-processors must ensure adequate technical and organizational measures in compliance with GDPR to safeguard the personal data that they are processing.
“The Sub-Processor agrees to implement appropriate organizational and technical measures to protect against the loss, alteration, destruction, unlawful access to the Personal Data including measures stated in Article 32 of the GDPR. Where the Sub-Processor fails to fulfil its Personal Data safety and security obligations, the Sub-Processor shall remain fully liable to the Data Processor. Further, the Sub-Processor shall promptly intimate the Data Processor of any confirmed safety and security breach incident as per its obligation under the GDPR.”
- Obligation to Assist
Data processors should include a clause ascertaining necessary cooperation from the Sub-Processor in relation to fulfilment the data processors obligation under GDPR. It should thus include:
“Sub-Processor shall provide the Data Processor and the Data Controller with reasonable assistance and cooperation necessary for the fulfilment of the Data Processors and Data Controllers obligation in responding to the requests of the Data Subjects, keeping the Personal Data secure, conducting periodic data protection impact assessment and for conducting an audit in compliance with the GDPR provisions.”
- Protocol with regards to Personal Data
Parties to the SPA must decide on the arrangement with regards to the personal data that is being processed once the duration of the SPA gets over or the SPA gets terminated. The clause must specify how the data is to be handled thereafter. “Upon the expiry or termination of the SPA, the Sub-Processor shall delete and/or return, at the Data Processors and Data Controllers election, all the Personal Data in the possession or control of the Sub-Processor. The Sub-Processor may retain the Personal Data only if mandated under any act, legislation or in compliance with any applicable law in force at that point. The Data Sub-Processor shall not retain the Personal Data for any other purpose.”
The SPA must be drafted to include that the sub-processor seeks necessary approvals and permission, in writing, from the data processor and data controllers prior to engaging a new sub-processor and transfer of personal data to a third country or an international organization.
“The Sub-Processor shall obtain written consent of the Data Processor and Data Controller in the event: it engages a new sub-processor and/or replaces an existing sub-processor. The Sub-Processor shall further obtain prior permission or consent of the Data Processor and Data Controller in writing before it transfers to, shares the Personal Data with an international organization or a foreign country.”
The General Data Protection Regulations require that parties who process personal data must provide adequate safeguards and security in accordance with the provision of the legislation. These contracts make it possible to show that the data sub-processors understand their obligations and responsibilities and agree to comply with relevant requirements under the legislation.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA