agreement-2679506_640

Data Processing Agreement (DPA)

It’s practically not possible to run a business without processing personal data and exchanging it with other businesses. It may be website analytics software, cloud storage, CRM or marketing platform, and whether you are controller, processor, sub-processor or joint controller, you have to construct a lawful Data Processing Arrangement (DPA) with the party you exchange personal information. 

GDPR does not have legal restrictions on the form of the Data Processing Agreement, however, there are standard contractual clauses widely used by EU companies. Considering the complexity of the task, it’s advisable to have a data processing agreement as a separate document. 

Do I need to have a Data Processing Agreement?

If you exchange personal data with other parties, you should have a Data Processing Agreement in place. Articles 28 through 36 of the GDPR cover the requirements for data processing and data processing agreements. Let’s have a look at a bit more specific responsibilities of different roles. 

Controller

 The controller is responsible for establishing a lawful data process and observing the rights of data subjects. The controller defines the way how data processing takes place and at what conditions. The controller must have a data processing agreement with its processors. 

Processor

The data processor should handle the data exclusively in the manner demanded by the controller.  Processor must have adequate information security in place, shouldn’t use sub-processors without the knowledge and consent of the controller, must cooperate with the authorities in the event of an enquiry, must report data breaches to the controller as soon as they become aware of them, must give the data controller the opportunity to carry out audits examining their GDPR compliance, must help the controller to comply with data subjects’ rights, must assist the data controller in managing the consequences of data breaches, must delete or return all personal data at the end of the contract at the choice of the controller, and must inform the controller if the processing instructions infringe GDPR. 

Sub-processor

 Sub-processor performs data processing on behalf of the processor. Data processors should have a data processing agreement with any sub-processors they use. The processor shouldn’t engage sub-processors without the prior consent of the controller.

 

Joint Controller

 Article 26 defines joint controllers as two or more controllers jointly determining the purposes and means of processing. Regardless of those arrangements, each controller remains responsible for complying with all the obligations of controllers under the GDPR. Joint controllers are not required to have a contract, but you must have a transparent arrangement that sets out your agreed roles and responsibilities. Such information should be available to data subjects.

 What should be included in a data processing agreement?

Articles 28 through 36 of GDPR set conditions of data exchange and conditions of personal data between controller and processors. Here are the most important subjects you have to cover in your data processing agreement.

  • Personal information processed under the contract
  • For how long that information will be processed and when it should be deleted or anonymised
  • Reasons and legal basis of personal data processing
  • The rights and responsibilities of the data controller and processor
  • The processor must act in accordance with written instructions of the controller
  • Confidentiality of processed personal data
  • Obligation to have adequate information security in place, technical and organisational measures to be met
  • The requirement to use sub-processors only with the data controller’s knowledge and consent. The processor must provide a list of sub-processors for controller’s approval.
  • Processors have to report data breaches to the controller as soon as they become aware of them, without undue delay
  • The processor should allow the data controller to carry out audits examining their compliance
  • Cooperation of controller and processor for the purpose of resolving subject access requests
  • Cooperation of controller and processor for the purpose of protecting the rights and privacy of data subjects
  • Data processors should assist data controllers in data protection impact assessments where applicable
  • Data processors should delete or return the personal information after the end of the contract at the choice of controller
  • If required by GDPR, the data processor shall appoint a Data Protection Officer
  • The data processor shall keep records of processing activities
  • The processor must inform the controller if the processing instructions infringe GDPR
  • Procedures of periodic review

Need registry of data processing agreements?

Sign up for 14-day Free Trial! No credit card needed. No obligations.
Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

Try our GDPR Compliance Tool GDPR Register for 14-days.

No credit card required.

Latest Posts
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

It’s practically not possible to run a business without processing personal data and exchanging it with other businesses. It may...
Templates for Records of Processing Activities

Templates for Records of Processing Activities

As we see every day, most companies and organisations still keep their Records of Processing Activities in spreadsheets. Through our...
Web plug-in requires visitor’s consent

Web plug-in requires visitor’s consent

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind...
First GDPR fine issued in Lithuania

First GDPR fine issued in Lithuania

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’,...
Finnish DPA ordered a company to change their data processing practises

Finnish DPA ordered a company to change their data processing practises

An article was published recently in the Helsingin Salomat about the Finnish Data Protection Authority who had ordered a payment and...
Data Protection Officer’s role and responsibilities

Data Protection Officer’s role and responsibilities

In light of the latest survey conducted by the CPO Magazine, we are looking into the role of the Data...
GDPR Compliance Checklist for 2019

GDPR Compliance Checklist for 2019

Just recently, a report was published based on a survey of 252 global privacy professionals working for a wide range...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What do companies have to include in the records of processing activities? GDPR requires companies to keep an internal record,...
GDPR in B2B Marketing

GDPR in B2B Marketing

There are two separate EU level regulations to follow when processing personal data for direct marketing in B2B and B2C...
Data Protection Impact Assessment Guide

Data Protection Impact Assessment Guide

The General Data Protection Regulation (GDPR) has introduced a new obligation, which requires companies and organizations to carry out data...

Zpracovává vaše společnost osobní údaje?


Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje

 

Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 


Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?


Kas teie ettevõte kogub ja töötleb isikuandmeid?


Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?


Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data