Data Processing Agreement

1. GDPR (General Data Protection Regulation)

GDPR Article 28, Section 3 lists the mentions that are required in a data processing agreement to be fully compliant:

• The processor agrees to process personal data only on written instructions of the controller.
• Everyone who comes into contact with the data is sworn to confidentiality.
• All appropriate technical and organizational measures are used to protect the security of the data.
• The processor will not subcontract to another processor unless instructed to do so in writing by the controller, in which case another DPA will need to be signed with the sub-processor (pursuant to Sections 2 and 4 of Article 28).
• The processor will help the controller uphold their obligations under the GDPR, particularly concerning data subjects’ rights.
• The processor will help the controller maintain GDPR compliance with regard to Article 32 (security of processing) and Article 36 (consulting with the data protection authority before undertaking high-risk processing).
• The processor agrees to delete all personal data upon the termination of services or return the data to the controller.
• The processor must allow the controller to conduct an audit and will provide whatever information necessary to prove compliance.

Achieve GDPR compliance / Allocate obligations between the two parties regarding the processing of personal data / define their respecting role.

What Is A Data Processing Agreement?

Who Should Have A Data Processing Agreement?

If you’re a business owner subject to the GDPR, it is in your interest to have a data processing agreement in place: first of all, it is required for GDPR compliance, but this agreement also gives you guarantees that the data processor you’re using is qualified and capable.

GDPR compliance requires data controllers (the business relying on a third-party to process personal data) to sign a data processing agreement with any parties that act as data processors on their behalf. “Processing” essentially refers to anything a third-party can possibly do with personal data: collecting it, storing it, monetizing it, destroying it, etc.

For example, if you are a company and you share information about clients via encrypted email, then that encrypted email service is a data processor. Or if you use a service as Google Analytics to analyze traffic on your website, Google Analytics would also be a data processor. It is basically any company offering you a service to process personal data you are not processing yourself internally.

What Are The Risks If I Don’t Have A Data Processing Agreement?

GDPR applies since 2018. Having a data processing agreement is mandatory if you are a business subject to the GDPR processing personal data through third-parties. National data protection authorities are being really attentive to the enforcement of GDPR and have been issuing penalties in lots of EU countries. Small and medium-sized businesses are also screened regarding these obligations. Instead of running the risk of a high fine, it is a lesser effort to sign a data processing agreement governing responsabilities regarding the processing of personal data.