In the six years since the GDPR came into force, the approach to data processing agreements (DPAs) has evolved, with clear themes on the provisions that companies tend to negotiate and more standard market practice approaches to others. In this article we look at the things to think about when drafting or negotiating a DPA.
What is a DPA?
A processor is an entity that processes personal data on the instructions of the controller, which is the entity that decides the means and purposes of the processing. The GDPR states that there must be a written agreement in place between controllers and their processors, and sets out certain provisions that must be in those agreements.
Things to think about generally when entering into a DPA:
- Use Article 28 of the GDPR as a checklist to ensure all the mandated provisions are included in the DPA.
- Make sure your DPA clearly spells out the roles of each party in relation to the processing activities. A party can be a processor for some processing purposes and a controller for others.
- Decide whether the DPA should cover the position on the liability of the parties under the DPA, or whether it should be dealt with in the main agreement.
- Does the DPA state which party will cover the costs of providing assistance to the other party in relation to data protection matters (eg responding to data subjects' rights requests, personal data breaches)?
- If there are any transfers of personal data outside the UK or EEA under the agreement to a country without an adequacy decision, you may need to incorporate standard contractual clauses into the DPA (see here for more).
If you are a controller:
- Decide whether you will contract on your DPA or the other party's standard terms. You may not have much choice when using big service providers that insist on their terms, but if the processing is higher risk or part of a more bespoke project then you may need to push for more stringent terms if you are a controller.
- Ensure that you have conducted appropriate due diligence on your processors.
- Check what the DPA says about the processor's use of sub-processors, and whether you have the right to see a list of the sub-processors that your processor engages.
- Ideally the DPA would require the processor to have appropriate insurance in place to cover things like cyber incidents.
- Make sure the DPA specifies security measures appropriate to the level of risk involved in the processing.
If you are a processor:
- Ideally you would want to have general authorisation to use your sub-processors without needing to ask for specific permission from the controller each time you engage one.
- Make sure you can adhere to any timeframes set out the DPA (eg 24 hours for reporting breaches to your customer).
- Make sure you can implement the security provisions required by the controller.
- Consider whether you need to use any of the personal data for your own purposes (eg for product improvement, analytics or training any AI models), and if so, make sure that is provided for in the DPA or the main agreement.
If you need any assistance with DPAs, please contact us.