What is a Data Processing Agreement?
A Data Processing Agreement (DPA) is a legally binding document that regulates any personal data processing conducted for business purposes between an organization (data controller) and a third-party service provider (data processor).
European GDPR prescribes Data Processing Agreements for organizations that process personal data of EU citizens and residents any time they use a third-party processor and define roles and obligations for both controller and processor.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a European Union (EU) data privacy law that went into effect in 2018.
Its primary aim is to provide individuals more control over how their data is collected, used, and protected online and to simplify the regulatory environment for international businesses. The GDPR binds organizations to strict rules about using and securing the personal data they collect.
It also forbids the transfer of personal data of EU data subjects outside the European economic area unless appropriate safeguards are adopted. Organizations that don’t comply will face heavy penalties of up to 4 % of their global annual revenue or 20 million Euros, whichever is higher.
Does the GDPR apply to companies outside of Europe?
Under certain conditions, the GDPR applies to companies that are not in Europe. If you are a company with more than 250 employees, and you answer “yes” to any of the below, the GDPR likely applies to your organization:
1. Your company is not in the European Union (EU), but you cater to EU customers
- For example, you create ads in one of the European-speaking countries (e.g., German, Spanish) or include pricing in Euros on your website.
- Occasional instances of sales to European customers may not subject you to the GDPR.
2. Your company uses web tools that allow you to track cookies or the IP addresses of people who visit your website from EU countries.
- For example, you may be a US web development company based in New York. But, if you track and analyze EU visitors to your company’s website, then you may be subject to the provisions of the GDPR.
If your organization has fewer than 250 employees or you are not engaged in a “professional or commercial activity,” the GDPR may not apply to you. If you are unsure whether GDPR applies to your organization, it’s recommended that you contact a Privacy Lawyer.
Do you need a Data Processing Agreement?
If your organization is subject to the GDPR, you must have a written Data Processing Agreement (DPA) in place with any parties that process personal data on your behalf (these third parties are known as “data processors”).
For example, if you use a cloud storage service provider or use an encrypted email service provider to share information with your clients, you must have a DPA in place.
In a nutshell, a DPA is a legally binding contract that sets the rights and obligations of each party concerning the protection of personal data.
There are several benefits to having a proper DPA in place with your data processors:
- It is the law! If you are subject to the GDPR and don’t have a DPA, you may be subject to GDPR fines of up to €20 million or 4% of the company’s global revenue.
- It provides your organization (and the customers you serve) the assurance that the data processor you use is qualified and has the expert knowledge and resources to implement the technical and organizational measures required to securely process your customer’s personal data.
What do you need to include in a DPA?
Article 28 of the GDPR specifies what needs to be included in the DPA. At a minimum, the DPA should set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller.
GDPR.eu provides a helpful summary of the eight topics that need to be covered in the DPA and template you can download:
- The data processor agrees to process personal data only on documented written instructions of the controller (i.e., your organization).
- Everyone who processes personal data is committed to confidentiality.
- All appropriate technical and organizational measures used to protect the security of the data.
- The processor will not subcontract to another processor unless instructed to do so in writing by the controller, in which case another DPA will need to be signed with the sub-processor.
- The processor will help the controller uphold their obligations under the GDPR, particularly concerning data subjects’ rights.
- The processor will help the controller maintain GDPR compliance with regard to Article 32 (security of processing) and Article 36 (consulting with the data protection authority before undertaking high-risk processing).
- The processor agrees to delete all personal data upon the termination of services or return the data to the controller.
- The processor must allow the controller to conduct an audit and will provide whatever information necessary to prove compliance.