Data processing agreement under the GDPR

In May 2018, the General Data Protection Regulation (GDPR) came into effect. This regulation is designed to protect the privacy of personal data of individuals within the European Union (EU) and European Economic Area (EEA). One of the key requirements set out in the GDPR is the need for data controllers and data processors to enter into a Data Processing Agreement (DPA).

What is a Data Processing Agreement?

A DPA is a legally binding agreement between a data controller and data processor that sets out the terms and conditions of how personal data will be processed. It outlines the responsibilities and obligations of both parties and ensures that data processing is carried out in compliance with the GDPR.

The purpose of a DPA is to ensure that data processors are held accountable for their actions and to ensure that the rights of data subjects are protected. It sets out the responsibilities of the data processor, which includes how the data will be processed, the security measures that will be put in place, and the procedures for dealing with data breaches.

What are the key provisions of a DPA?

A DPA should include the following provisions:

1. Purpose and duration – The agreement should set out the purpose for which the data is being processed and the duration for which it will be retained.

2. Processing instructions – The DPA should set out the instructions for data processing and the means by which they will be carried out.

3. Confidentiality – The agreement should include a confidentiality clause that prohibits the data processor from disclosing any information without the consent of the data controller.

4. Security measures – The DPA should set out the security measures that will be put in place to protect the data, including technical and organizational measures.

5. Data breaches – The agreement should set out the procedures to be followed in the event of a data breach, including notification requirements.

6. Sub-processing – If the data processor intends to use sub-processors, the DPA should set out the requirements for doing so.

7. Rights of data subjects – The agreement should set out the procedures for dealing with data subject requests, including access, rectification, and erasure.

Why is a DPA important?

A DPA is important because it ensures that data processors are held accountable for their actions and that the rights of data subjects are protected. It also ensures that data processing is carried out in compliance with the GDPR and sets out the responsibilities and obligations of both parties.

Failure to enter into a DPA can result in significant fines and reputational damage. It is therefore important for data controllers to only work with data processors that are willing to enter into a DPA and to ensure that the agreement is properly drafted and executed.

Conclusion

A DPA is an important component of GDPR compliance. It ensures that data processing is carried out in a manner that is compliant with the GDPR and protects the rights of data subjects. Data controllers should ensure that they only work with data processors that are willing to enter into a DPA and should seek legal advice when drafting and executing the agreement.