Data Processing Agreements (DPAs)

In today’s digital age, businesses often rely on third-party services, like cloud storage or email clients, to handle personal data. The term “processing” encompasses various actions such as collecting, storing, and utilizing personal information. 

When Is a Data Processing Agreement Required? 

For companies subject to European privacy laws, specifically the General Data Protection Regulation (GDPR), having a data processing agreement with service providers is not just a best practice but a legal requirement. Not having a data processing agreement in place exposes businesses to the risk of non-compliance with GDPR regulations, leading to potential legal consequences. 

What is a Data Processing Agreement?  

A data processing agreement is a legally binding contract outlining the rights and obligations of each party concerning the protection of personal data. GDPR compliance mandates that data controllers sign such agreements with any parties acting as data processors on their behalf. A data processor is typically another company providing services like storage, analysis, or communication of personal information. 

A DPA must specify the subject matter and duration of processing, the nature and purpose of the processing, the type of personal data, and the obligations and rights of the controller. 

The GDPR (Recital 81) further emphasizes that controllers should only entrust processors with activities if they provide sufficient guarantees in terms of knowledge, reliability, and resources to meet GDPR requirements, especially regarding the security of processing. 

Key Components of a Data Processing Agreement 

The following are eight key areas that must be covered in data processing agreements: 

  1. Processor Instructions: The processor agrees to process personal data only based on written instructions from the controller. 
  2. Confidentiality: Everyone handling the data must adhere to confidentiality agreements. 
  3. Security Measures: Processors must implement all appropriate technical and organizational measures to safeguard data security. 
  4. Subcontracting: The processor cannot subcontract to another processor without written instructions from the controller (defined as an entity which, alone or jointly with others, determines the purposes and means of the processing of personal data), necessitating a separate agreement with the sub-processor. 
  5. Support for Controller’s Obligations: Processors must assist the controller in upholding GDPR obligations, especially regarding data subjects’ rights. 
  6. GDPR Compliance Support: Requires processors to aid the controller in maintaining GDPR compliance, particularly concerning Article 32 (security of processing) and Article 36 (consulting with the data protection authority before high-risk processing). 
  7. Data Deletion or Return: Processors should agree to delete personal data upon service termination or returning it to the controller. 
  8. Audit and Compliance Proof: Processors must allow the controller to conduct an audit and providing necessary information to prove compliance. 

Understanding the GDPR 

The GDPR, effective since May 25, 2018, is a data privacy law designed to empower individuals with more control over how their data is collected, used, and protected online. Organizations must adhere to strict rules governing the use and security of personal data, with penalties for non-compliance reaching up to 4% of global annual revenue or €20 million. 

The Extraterritorial Reach of GDPR 

Contrary to common belief, the GDPR isn’t confined to EU-based organizations. Its “extra-territorial effect” means it applies to any entity handling data belonging to EU citizens and residents. This extends beyond the EU’s borders, affecting organizations worldwide and it is part of cross-border privacy.

Key Sections of GDPR’s Territorial Scope (Article 3 of GDPR) 

  1. Establishments in the EU: The GDPR applies to data processing activities of an establishment in the EU, regardless of where the processing occurs. 
  2. Non-EU Controllers or Processors: If a non-EU controller or processor handles the personal data of individuals in the EU, the GDPR applies under two conditions: 
  • Offering goods or services to EU data subjects. 
  • Monitoring the behavior of EU data subjects, especially online. 
  1. Member State Law Application: The GDPR applies to data processing by a controller not established in the EU but subject to Member State law by virtue of public international law. 

Scenarios Triggering GDPR Compliance Outside Europe 

1. Offering Goods or Services 

The internet’s global reach makes goods and services accessible worldwide. The GDPR applies if an organization intentionally targets EU customers, evidenced by actions like creating ads in European languages or pricing in euros on their website. 

2. Monitoring Behavior 

If an organization tracks cookies or IP addresses of EU visitors through web tools, GDPR compliance is triggered. While the enforcement of this provision remains uncertain, organizations using such tools should be mindful of potential obligations. 

Exceptions to the Rule 

Two notable exceptions exist: 

  1. Purely Personal or Household Activity: The GDPR doesn’t apply to activities of a purely personal or household nature, excluding informal gatherings or personal endeavors. 
  1. Small- and Medium-Sized Enterprises (SMEs): Organizations with fewer than 250 employees are not entirely exempt but enjoy relief from certain record-keeping obligations. 

A data processing agreement template can be a valuable tool in navigating the complexities of these agreements.  Ensuring that your organization has a well-drafted and comprehensive data processing agreement template in place is essential for GDPR compliance and protecting the rights of data subjects. 

Why is a DPA important? 

Consequences of Non-Compliance 

The GDPR’s enforcement has seen data protection authorities issuing penalties, even to small- and medium-sized businesses. Fines under GDPR can reach up to €20 million or 4% of the company’s global revenue. Two tiers of fines exist, with the first tier, applicable to violations related to data processors, potentially reaching €10 million or 2% of global revenue. 

In conclusion, businesses subject to GDPR must prioritize establishing data processing agreements with their service providers to ensure compliance. These agreements not only outline responsibilities but also serve as a safeguard against potential fines and demonstrate a commitment to protecting individuals’ personal data. As the digital landscape continues to evolve, understanding and implementing GDPR requirements will remain crucial for businesses aiming to navigate the complex world of data processing responsibly. 

Contact Roberts & Obradovic Law for Help 

At Roberts & Obradovic Law, we advise Canadian and international clients on privacy and data protection requirements. Our Privacy Lawyers guide organizations in assessing the impacts of privacy and access to information obligations on their businesses and implementing measures to reduce risks. We offer practical, strategic, and cost-effective solutions to privacy and freedom of information issues. 

If you are an organization handling data on EU residents that needs a Data Processing Agreement (DPA) for GDPR compliance or if you simply want to put in place a DPA that outlines clear terms of your data relationships, our data processing agreement template helps businesses navigate the complex world of data processing by outlining the rights and obligations of parties with respect to the processing of personal data.