It’s practically not possible to run a business without processing personal data and exchanging it with other businesses. It may be website analytics software, cloud storage, CRM or marketing platform, and whether you are controller, processor, sub-processor or joint controller, you have to construct a lawful Data Processing Arrangement (DPA) with the party you exchange personal information.
GDPR does not have legal restrictions on the form of the Data Processing Agreement, however, there are standard contractual clauses widely used by EU companies. Considering the complexity of the task, it’s advisable to have a data processing agreement as a separate document.
Do I need to have a Data Processing Agreement?
If you exchange personal data with other parties, you should have a Data Processing Agreement in place. Articles 28 through 36 of the GDPR cover the requirements for data processing and data processing agreements. Let’s have a look at a bit more specific responsibilities of different roles.
The data processor should handle the data exclusively in the manner demanded by the controller. Processor must have adequate information security in place, shouldn’t use sub-processors without the knowledge and consent of the controller, must cooperate with the authorities in the event of an enquiry, must report data breaches to the controller as soon as they become aware of them, must give the data controller the opportunity to carry out audits examining their GDPR compliance, must help the controller to comply with data subjects’ rights, must assist the data controller in managing the consequences of data breaches, must delete or return all personal data at the end of the contract at the choice of the controller, and must inform the controller if the processing instructions infringe GDPR.
What should be included in a data processing agreement?
Articles 28 through 36 of GDPR set conditions of data exchange and conditions of personal data between controller and processors. Here are the most important subjects you have to cover in your data processing agreement.
- Personal information processed under the contract
- For how long that information will be processed and when it should be deleted or anonymised
- Reasons and legal basis of personal data processing
- The rights and responsibilities of the data controller and processor
- The processor must act in accordance with written instructions of the controller
- Confidentiality of processed personal data
- Obligation to have adequate information security in place, technical and organisational measures to be met
- The requirement to use sub-processors only with the data controller’s knowledge and consent. The processor must provide a list of sub-processors for controller’s approval.
- Processors have to report data breaches to the controller as soon as they become aware of them, without undue delay
- The processor should allow the data controller to carry out audits examining their compliance
- Cooperation of controller and processor for the purpose of resolving subject access requests
- Cooperation of controller and processor for the purpose of protecting the rights and privacy of data subjects
- Data processors should assist data controllers in data protection impact assessments where applicable
- Data processors should delete or return the personal information after the end of the contract at the choice of controller
- If required by GDPR, the data processor shall appoint a Data Protection Officer
- The data processor shall keep records of processing activities
- The processor must inform the controller if the processing instructions infringe GDPR
- Procedures of periodic review