Data Processing Agreements: It is Time to Review and Update
Data processing agreement (or DPA) is a type of contract that organisations sign when they entrust the personal data they control to third parties. DPAs can be executed in various legal forms, including data processing addenda, data protection contracts, data sharing agreements and many others. The essential elements you must always look for are:
- the territorial scope of the agreement: is it between two EU-residing entities or is one of the parties registered outside of the EU?
- the subject matter: does this agreement concern personal data?
Review the agreements your company has entered into during the last four years or even earlier (yes, the terms of service of your software providers, too). Is there anything that reminds you of these two criteria? If yes, then look closer at the contents of such contracts.
If you find that they are based on the Standard Contractual Clauses of 2010 and/or refer to Directive 95/46/EC, then you definitely need to renew them as soon as possible.
Why change though?
As you remember, the GDPR entered into force in May 2018 and triggered a wave of privacy policy update emails. But these policies are only the tip of the iceberg. The DPAs lay way deeper: they are the cornerstone of international data transfer, enabling companies to outsource the best talent and engage the best software and infrastructure solutions available in the world market. In Article 46 of the GDPR, you may find that the standard data protection clauses (or simply SCCs) are one of the most flexible prerequisites that companies without large compliance budgets may rely on when contracting a foreign firm.
The Commission drafted and adopted the first Standard Contractual Clauses in 2010, to make compliance with Directive 95/46/EC (predecessor of the GDPR) easier. Since then, many things have changed: the Directive has been replaced with the GDPR, new business models emerged, and technology has sufficiently developed, thus making the SCCs 2010 way less useful and comfortable. Moreover, the SCCs 2010 were referring to the Directive, and it was a trouble for fearful legal departments as the SCCs were meant to be adopted “as is” (as they are, in fact, standard). The situation was in fact confusing: even though the GDPR is in effect, the companies still referred to its predecessor, making the whole compliance puzzle even more complicated.
In 2021, the Commission has adopted a new set of SCCs. After the new SCCs have been released, the companies are obliged to:
- enter into the updated SCCs when signing a new agreement after 27 September 2021;
- replace the SCCs 2010 signed before 27 September 2021 with the updated clauses before 27 December 2022. The annexes must be replaced, too.
After 27 December 2022, the companies may not in any way be considered compliant if they rely on SCCs 2010.
So what if we don’t follow?
The consequences may be severe.
For starters, your company won’t be GDPR-compliant anymore: by relying on the older SCCs, you will de facto violate Articles 44 and 46 that set out the requirements for lawful international data transfers (and it can be that Article 32 [security of processing] and 28 [data processors] will be involved, too).
Moreover, the supervisory authority may sanction your organisation. The sanction may range from mere notification of infringement and demand to stop violation to the requirement to suspend the data flow (ceasing work with your foreign partner) and/or even a fine.
However, it is not the supervisory authority only that may suspect something. The data subject has a right to request a copy of your DPA with SCCs, and they may request to have their data not processed by the foreign contractors and/or lodge a complaint with the supervisory authority about your violation of the mentioned Articles. It can lead to a dreadful media scandal, too.
Your partners may request a copy of the draft agreement as well and, after the due diligence, refuse to work with you because of lack of compliance thoroughness or put you in an unfavourable bargaining position.
Quite a price for a part of legal paperwork, isn’t it?
What’s next then?
There is a plenty of options that you have.
- Contact a data protection lawyer to handle the drafting, negotiation, and signing. Usually, a legal counsel that handles all your legal inquiries may not have time or knowledge of your processing activities necessary to do all the work in time (again, the deadline for a signed agreement is 27 December 2022). Data protection lawyer has a clean template and skills needed to add the information to the optional clauses and Annexes, as they do this as their routine job.
- Ask your DPO or Chief Privacy Officer to help you out or prioritise this task. It can be that a DPO or CPO is too preoccupied or just hired and not aware of the contracts you signed in the early days of your business life. Help them detect and refresh the compliance vulnerabilities.
- Rely on your own skills and/or readily available internet tools. It can be a necessary step in case of cost limits, but you risk forgetting something or making the agreement unenforceable, especially if you are not a lawyer yourself. Some of the tools the market offers are great, but they rarely are as tailored as you might want them to be.
- Ask your business partner or client to do all the work for you. Be ready to give them a lot of your insider information about processing activities and security details though: without your participation, they will not be able to find out which information to write down in the contract. Again, remember their power over your bargaining process in this case.
Of course, you can always contact us for help or advice (or if you have any questions as to this article, too). You may learn more about Legal IT Group’s Privacy Team on our website, and if you feel that we are just the people you were looking for then write us an email.