Legal Background
Minimum information | GDPR Article 28, Section 3 lists the mentions that are required in a data processing agreement to be fully compliant:
|
Imperative provisions? | Ja |
Objective pursued / Protected part | Achieve GDPR compliance / Allocate obligations between the two parties regarding the processing of personal data / define their respecting role. |
Factual Background
When such a document is made | What Is A Data Processing Agreement?As part of your business or your entreprise, you may rely on a third-party to process personal data on your behalf (typically a data processor is another company you use to help you store, analyze, or communicate personal information) or you may process personal data as a service for a client. To achieve GDPR compliance, you must have a data processing agreement between both parties. This agreement is a legally binding contract that provides the rights and obligations of each party concerning the protection of personal data. Who Should Have A Data Processing Agreement?If you’re a business owner subject to the GDPR, it is in your interest to have a data processing agreement in place: first of all, it is required for GDPR compliance, but this agreement also gives you guarantees that the data processor you’re using is qualified and capable.GDPR compliance requires data controllers (the business relying on a third-party to process personal data) to sign a data processing agreement with any parties that act as data processors on their behalf. "Processing" essentially refers to anything a third-party can possibly do with personal data: collecting it, storing it, monetizing it, destroying it, etc.For example, if you are a company and you share information about clients via encrypted email, then that encrypted email service is a data processor. Or if you use a service as Google Analytics to analyze traffic on your website, Google Analytics would also be a data processor. It is basically any company offering you a service to process personal data you are not processing yourself internally.What Are The Risks If I Don't Have A Data Processing Agreement?GDPR applies since 2018. Having a data processing agreement is mandatory if you are a business subject to the GDPR processing personal data through third-parties. National data protection authorities are being really attentive to the enforcement of GDPR and have been issuing penalties in lots of EU countries. Small and medium-sized businesses are also screened regarding these obligations. Instead of running the risk of a high fine, it is a lesser effort to sign a data processing agreement governing responsabilities regarding the processing of personal data. |
Please note that this knowledge portal is still under development.