Data Processing Agreement: Coordination and Management
Personal data protection is today an extremely important and relevant topic, as many businesses, institutions, and organizations collect large amounts of information about each of us every day. At the level of the European Union, the General Data Protection Regulation (GDPR) stands guard over the security of such personal information.
Since the GDPR came into force, persons who in their activities deal with the processing of personal data of individuals located on the territory of the EU must be GDPR compliant — that is, their activities in this area must comply with the requirements of the Regulation.
When a Data Processing Agreement Is Required, Its Parties and Substance
One of the steps on the path to GDPR compliance is the regulation of relationships with counterparties. This is where the Data Processing Agreement — DPA — comes in. But in order to understand this document, let us first clarify how the GDPR divides all subjects into roles.
The GDPR contains the following categories of subjects:
- Data subject — the person to whom the personal data relates;
- Controller — the person who determines the purposes and means of processing the data;
- Processor — the person who directly processes such data in accordance with instructions;
- as well as third parties.
In the context of a DPA, we are interested in the controller and the processor: they are the parties to the agreement. To better understand their roles, let us look at a common example. There is a company engaged in retail trade that, for the purposes of its activities, lawfully collects information about its clients as individuals. It is the controller.
The company’s owners decided to notify consumers of new products and discounts by email. To do this they need to engage a specialist to whom personal data is transferred. They are the processor. The company determines the purposes, means, and scope of processing of client data, while the engaged specialist follows the company’s instructions. It is precisely these relations that are formalized in the form of a DPA.
And what about IT? Let us consider the following situation: an outsourcing company, for the purpose of providing support to clients, gains access to their personal data. If such a controller engages counterparties (sole proprietors), a DPA must be signed with them. Or in a case where you are jointly collecting personal data with another person within the framework of a certain product (application).
Therefore, a DPA is an agreement between a controller and a processor that regulates the transfer of personal data from the first subject to the second (the volume of such data, the purposes of use, and so on) and the relations between them in the process of data exchange in general.
Why Is a Data Processing Agreement Important?
A DPA is mandatory for controllers that fall within the scope of the GDPR. Why is it so important? Personal data is personal information that requires proper protection. The transfer of data to anyone involves certain risks that must be minimized. The controller receives personal data and is effectively responsible for it, so it is important for them to trust their counterparties. The GDPR emphasizes that “in entrusting processing activities to a processor, the controller should use only processors providing sufficient guarantees in respect of expert knowledge, reliability and resources.”
In addition, fines for violations of GDPR requirements reach $20 million or 4% of the company’s total revenue.
Accordingly, a DPA is genuinely worth signing.
Content of a Data Processing Agreement
The substance, parties, and purpose of signing a DPA have been established. Now it is worth discussing what such an agreement consists of. In general, the content of a DPA is standard, as it must comply with the requirements of the GDPR. The Regulation itself defines the following mandatory terms of the agreement: the subject matter (i.e., the data), the duration of the processing, the purpose of processing, the categories of such data, as well as the obligations (Article 28). However, the parties have the right to expand the terms of this agreement.
So let us look at them in more detail.
List of Obligations of the Controller and Processor in Accordance with GDPR Requirements
Obligations of the controller:
- Ensure compliance of the processing and transfer of data with current personal data protection legislation.
- Inform the processor of their obligation to process data only with the controller’s permission and in accordance with the legislation.
- Ensure the application of security measures that are appropriate to protect personal data from accidental or unlawful destruction, or accidental loss, alteration, unauthorized disclosure, or access. At the same time, such measures must correspond to the risks accompanying the processing of information.
Obligations of the processor:
- Process personal data only with the permission of the controller and in accordance with their instructions, as well as the DPA itself. If this obligation cannot be fulfilled, the processor must notify the controller.
- Apply technical and organizational security measures to protect personal data.
- Obliged to inform the controller of: lawful requests for data from law enforcement authorities; any accidental or unauthorized access; any request from the data subject.
- Respond promptly and properly to the controller’s requests.
- Provide their data processing facilities for audit at the controller’s request.
Details of the Transfer
This information may be formatted as an annex that forms an integral part of the agreement.
This includes information about:
- the list of categories of data to be processed;
- the purpose for which they are collected;
- the period for which they will be stored;
- the method of their processing.
Subprocessing
It is worth specifying the processor’s obligation not to engage a sub-processor without the controller’s knowledge. In the event of engaging such a person, the processor is obliged to obtain the controller’s consent and formalize the relationship with the third party by a separate written agreement.
Liability
As a general rule, liability for damages caused to the data subject is borne by the controller. However, exceptions exist:
If the controller has effectively disappeared, ceased to exist in the legal field, or become insolvent, then the processor becomes the controller and bears liability to the data subject (an exception here is the case where the controller has a legal successor who has assumed all their obligations — in this situation the successor bears liability).
In the event of a breach of obligations by the processor and if they cannot be held liable (when both the controller and the processor have effectively disappeared, ceased to exist in the legal field, or become insolvent), liability is borne by the processor within the scope of their own data processing activities under the agreement (again, if the controller or processor has no legal successor).
In the event of a breach by a sub-processor (when both the controller and the processor have effectively disappeared, ceased to exist in the legal field, or become insolvent), they bear liability within the scope of their own data processing activities under the agreement — effectively becoming the controller or processor (likewise, if the controller or processor has no legal successor).
As can be seen from the above, the liability information provides an additional motivation to sign a DPA, in order to be confident in the integrity of the processor and other persons who may be engaged in data processing.
The following sections may concern the jurisdiction chosen by the parties (the law of the controller’s party is usually applied), as well as the parties’ relations with supervisory authorities regarding the conduct of audits.
Last but not least — the obligations of the parties after the expiry of the agreement.
After the provision of data processing services ceases, the processor undertakes to return all personal data or destroy it (at the controller’s choice). If the processor’s legislation prohibits the return or destruction of such data, the processor guarantees the confidentiality of the data and that they will not use it going forward.
Data Processing Agreement and Ukraine
All of this information is very important and interesting, but the question arises: do all of the above requirements concern Ukrainian realities.
The GDPR applies to the processing of data of persons located on the territory of the EU, even if the processing is carried out outside the Union. Therefore, the Regulation does not directly extend to Ukraine. However, if a company in Ukraine in the course of its activities collects data of subjects on the territory of the EU, it must be GDPR compliant — and consequently requires the signing of a DPA with counterparties.
A DPA is one of the important documents on the path to GDPR compliance, without which it is impossible to manage if you work with partners. The foundation of your relationship with clients is their trust in you. They entrust their personal data to the company and hope for responsibility on its part. Therefore, by signing a DPA in the role of controller, you ensure the integrity of your counterparties and guarantee the reliable preservation of your clients’ personal data.
