To keep consumer data secure, the European Union (EU) has implemented a rigorous privacy and security law known as the General Data Protection Regulation (GDPR). The GDPR defines and enforces EU citizens’ rights regarding their personal data. It implements standards for accountability, security, and transparency in the use of that data.
Global companies that operate in the European Union or handle personal data from the EU need to understand how the GDPR will affect them and how to maintain GDPR compliance.
One aspect of that compliance is implementing a data processing agreement (DPA). A GDPR data processing agreement specifies the details, rules, rights, and obligations associated with data processing activities. It helps ensure company compliance, secure data, and keep consumers protected and satisfied.
This guide provides a closer look at how DPAs work and what to include in a DPA.
What is a DPA under the GDPR?
A data processing agreement is a contract signed between data controllers and the data processors that will handle their data. It is required for full GDPR compliance.
A DPA lays out the nature, purpose, and duration of the processing activities that will take place. It also specifies the type of personal data to be processed and the categories of individuals the data belongs to. It defines the rights and obligations the controller will have. It can specify the use of technical security measures, such as a certain level of encryption, that must be in place.
A DPA is legally binding, and the data controller and processor must abide by it or risk severe penalties.
The main benefit of a DPA is that it ensures the qualifications and reliability of the data processor. Companies need to know their data is in good hands and that it is private and secure from prying eyes. A DPA helps provide those assurances.
The GDPR and its DPA requirements are likely to have significant impacts on business operations in the future. Business transactions may change as personal data collection becomes more limited, communication about data collection and storage becomes essential, and third-party vendor relationships require more rigorous contracts. Individual companies and their HR departments will feel extensive impacts as they adapt their processes to comply with GDPR requirements.
The upside of the GDPR requirements is that trust may flourish in business as people become more confident in their data’s privacy and protection.
When is a data processing agreement required?
Do you need a data processing agreement? You may if you handle personal data in or from the EU.
Under the GDPR, a DPA document is mandatory whenever a person or organization gives personal data to a third-party service provider for a collaborative service. Any parties that act as data processors must sign DPAs with the data controllers.
For example, in the EU, a service that hosts a website must sign a DPA with the company the website belongs to. A company that processes personal data to provide targeted consumer marketing must also sign a DPA.
Below are several other common business services and scenarios that require DPAs:
- Email management outsourcing
- Technical data processing solutions for financial and payroll accounting
- Data backup services, either via physical servers or in the cloud
- Data collection or digitizing through an external service provider
- Disposal of old hardware containing sensitive data
In some instances, the GDPR can require DPAs for companies outside Europe. This requirement comes into play anytime EU data is involved. For example, a company located in Canada might be subject to the DPA requirement if it handles data concerning EU citizens.
When is a DPA not required?
Several specific scenarios do not require DPAs. They have built-in protections that render DPA protection unnecessary. Consider the following so you can better understand your company’s obligations in these circumstances:
- Partnerships with professional groups that have confidentiality requirements: In many professions, best practices are for service providers to have industry-specific, customized confidentiality agreements that cover all the security measures and privacy requirements a DPA would require. A few professions that generally use these confidentiality agreements include law, tax consulting, and financial auditing. Many healthcare services typically also come with their own rigorous confidentiality assurances.
- Portal services: Services that merely connect people or entities are typically exempt from DPA requirements. These professional matchmaking services are so transitory that a DPA would have little benefit. Recruiters fall into this category, for example. They merely connect people looking for work with companies looking for talented new team members. This scenario makes a DPA with the recruiter unnecessary.
- Work with debt collection agencies: Debt collection agencies gain access to personal financial information and medical information. Because collection agencies are separate from the original creditors and collect the debt for their own gain, they are exempt from DPA requirements. If they were working on behalf of the original creditors, the collection agencies would need to sign DPAs.
- Joint data management from multiple companies: In some cases, companies work as a group to manage a collection of data. This scenario often occurs when companies have joint access to data from suppliers, products, or sales leads. Though the companies may be competitors, they use the same data for the same general purposes. The scale of this data usage generally means a DPA is not mandatory.
- Clinical trials: Large-scale clinical pharmaceutical trials do not usually use DPAs because of the numerous contributors they entail. Doctors, research centers, and sponsors all have access to the subject data, and they all process it differently according to their needs. The collected data also generally serves various purposes throughout the clinical trial. Under these circumstances, DPAs generally do not apply.
Who is the data controller?
Every DPA agreement takes place between a data controller and a data processor. The data controller is the organization or individual that determines how and why to process personal data. If your company decides to send data to a third party for backup on its servers, your company is the data controller.
The defining characteristic of a data controller is decision-making power. The data controller makes overarching determinations about the reasons for data collection and the ways the processing of personal data should occur.
In most scenarios, a company or organization is the data controller. The data processor is a separate entity that contracts with the company. An individual such as a sole proprietor or self-employed worker may also be a data controller if that person makes decisions about collecting and processing personal data.
Who is the data processor?
The data processor is the third party that processes the data for a data controller. In the scenario above, if your company decides to send your data out for backup, the company that provides the backup services is the data processor.
The data processor can take many forms. It may be a company, an individual, or a public authority. The relevant criterion is whether or not that individual or entity processes data on behalf of a data controller.
What does a DPA document include?
Articles 28-36 of the GDPR specify what contractual obligations are mandatory for the data processor under the GDPR’s DPA rules. Below are some of the required DPA clauses:
1. A thorough breakdown of the details of data handling
The DPA should give comprehensive details about how every aspect of data processing will occur. The DPA should include clear information about topics like:
- The type of personal data to be processed
- The subject matter of the data
- The categories of the data subjects
- The purpose and nature of the processing
- The expected duration of data processing
- The legal basis for personal data processing
- The return or deletion of personal data at the end of processing
2. The data controller’s and processor’s rights and responsibilities
In specifying the rights and responsibilities for both parties, the DPA ensures clarity about who controls the data handling.
The DPA should explicitly state that the data processor must perform the processing according to the data controller’s wishes and specifications. It should specify that the controller, not the processor, retains complete control over the data and what happens to it.
The DPA should direct the data processor to process the data only according to the data controller’s direct instructions, deviating from those instructions only when EU laws or one of the member states’ laws require it.
3. Required confidentiality measures for the data processor
The DPA should specify the protocols the data processor should follow to ensure confidentiality of the personal data.
For example, the data processor must require permanent employees, temporary employees, and subcontractors to sign confidentiality agreements before they can begin processing personal data. The only time a confidentiality agreement becomes unnecessary is when a statutory obligation already requires the processor to ensure confidentiality.
4. Required technical and organizational protocols for information security
The DPA should outline the security measures the data processor must implement, including measures like these when appropriate:
- Data encryption
- Data subject pseudonymization
- Protocols for ensuring data confidentiality, availability, resilience, and security of all data processing systems
- Processes for restoring access to personal data after an attack or breach
- A regular program for testing and evaluating the effectiveness of all security measures
Many processors may wish to gain formal certifications or draw up official codes of conduct attesting to their implemented protocols. Measures like these help provide assurances that their data processing complies fully with the GDPR.
5. Terms for any subcontractor contracts
The DPA should also outline the requirements the data processor must impose for its subcontractors. For example, the processor must be sure to abide by these rules and best practices:
- Employing subcontractors only with the express consent and authorization of the data controller
- Drafting and signing contracts imposing the same data security requirements on the subcontractor that the data processor itself must follow
- Ensuring the subcontractor’s compliance with data protection requirements
- Informing the data controller of any changes involving subcontractors and giving the controller time to respond
6. Cooperation obligations for the data processor
The DPA should specify when and how the data processor must cooperate with the data controller. For example, the data processor must cooperate to help resolve requests for data access. The processor must also cooperate in protecting the data subjects’ privacy and rights, particularly by meeting these requirements:
- Ensuring personal data security
- Promptly notifying authorities and data subjects of personal data breaches
- Performing data protection impact assessments (DPIAs) as needed
- Consulting the relevant authorities when serious data risks arise
The data processor must also allow the data controller to carry out compliance audits during processing. During audits, the processor must promptly provide the controller all relevant information to show it has met its compliance obligations under Article 28 of the GDPR.
Best practices are also for the processor to keep records of its processing activities to demonstrate compliance with the GDPR.
What happens after a data breach under a DPA?
If a data breach occurs, the companies involved need to take specific, immediate actions. Your company must notify the relevant supervisory authority within 72 hours if the breach poses serious risks.
If the breach poses a very high risk to the people affected, your company must usually notify those individuals as well. However, if your company already has effective technical and organizational risk mitigation protocols in place, a notification may not be necessary.
For example, imagine a credit card company has suffered a data breach because of an attack on the servers where it stored its data. Its customers’ personal financial information has become compromised. Their names, home addresses, additional contact information, financial details, and the details of the types of payments they made on their credit cards have all become public.
The company hosting the servers would need to notify authorities of the breach within 72 hours. It would also need to notify the credit card company.
The company would likely need to inform the consumers, since the disclosure of their personally identifying information could put them at risk. The breach might also lead to disclosures of the consumers’ sensitive, protected health information if they had made medical payments on their credit cards.
What are the penalties for noncompliance with the GDPR?
If a data breach occurs, the company found to be noncompliant will be subject to disciplinary actions. A probable infraction merely receives a warning. Confirmed noncompliance incidents may become subject to one or more of these penalties:
- A formal reprimand
- A temporary or permanent ban on data processing
- A fine of up to EUR€20 million or 4 percent of the company’s total annual global revenues
Hire data security professionals to your team with Globalization Partners
When you’re building international teams focused on data security, work with Globalization Partners. Our teams of professionals can help you understand the data processing agreement regulations that apply to your company.
Having data protection officers and other legal professionals on your team is essential for remaining in DPA compliance. As a global Employer of Record (EOR), Globalization Partners helps you hire and pay the international talent you need for success. We take data privacy very seriously, and we can help you comply with local labor laws and secure your confidential information as you scale your company internationally.
At Globalization Partners, we help you expedite your hiring processes. Using our full-stack global employment platform, you can hire and onboard your new team members with just a few clicks, saving time and streamlining your approach to the challenges of international company growth.