Data Processing Agreement

What is a data processing agreement?  

A data processing agreement (DPA) is an agreement that regulates how a data processor should handle personal data when the processor helps a personal data controller handle its personal data. The data controller is the legal entity that decides how the data may be used, and the data processor is the legal entity that helps the controller to perform a certain task, for example storing the personal data. According to the requirements of the UK General Data Protection Regulation (UK GDPR), a DPA must be entered into between the data controller and the data processor. According to the UK GDPR, such an agreement must regulate a number of circumstances, including how the personal data processor may use the personal data, what security standards should be implemented and what criteria the personal data processor must meet when it wishes to contract processors, so-called sub-processors.

When should you use a Data Processing Agreement? 

As soon as you need help from someone outside your own organisation who will handle personal data for which you are controller, or if you are to handle personal data for which someone else is controller, you should enter into a DPA. This may be the case if, for example, you want to buy a cloud service to store your data, you use a SaaS for recruitment where you are going to store data about your job candidates, or if you sell a SaaS yourself and want to make sure that you can offer your customers a solid agreement for the data processing. Before entering into any agreement, you should always ask yourself whether either party will handle the other party's personal data. This drill is conducted in order to determine whether or not you should also enter into a DPA. Entering into a data protection agreement is not optional since it’s a legal obligation under the UK GDPR.  Even though it primarily is the controller that bears the responsibility to have the DPA in place the processor may benefit from offering its own DPA that reflects the particular interests of the processor.

Why is a data processing agreement important and why should you use it?

A DPA is a very important part of meeting the requirements of the UK GDPR. In addition to the legal requirements, there is also a vested interest from each party to be able to regulate the responsibility for the personal data. For the data controller, the agreement becomes an instrument to achieve other obligations set out in the UK GDPR. For example, the data controller can ensure that it complies with the appropriate security measures requirement by requiring what level of security the data processor must implement when the processor handles the controller’s personal data. Another important aspect is to regulate where the personal data will be handled geographically when you contract a data processor. A rule of thumb for companies within the EU/EEA and the UK is that you do not want the data processor to transfer your personal data outside this geographical zone.

There are large potential fines for failing to comply with the UK GDPR - the most serious violations can result in fines of up to 4% of global turnover of the preceding financial year or £17.5 million (whichever is greater) and other violations can result in fines of up to 2% of annual worldwide turnover of the preceding financial year or £8.75 million (whichever is greater). 

What are the common pitfalls of a Data Processing Agreement? 

A common pitfall is that the DPA is not based on your specific situation. Before you draft your DPA, you must make an analysis of what personal data is to be covered by the agreement, how critical this personal data is to your company and whether it is personal data that may be particularly sensitive from a privacy perspective.

The DPA should be crystal clear regarding the obligations of each party. If you reach the conclusion that your personal data is sensitive, you should place high demands on the data processor in terms of security. It can help if you refer to commonly accepted security standards such as ISO when you request security measures for your personal data.

Another pitfall is forgetting to examine the data processor's processor, so-called sub-processors. Because it will not matter if you have ensured that the data processor has no servers outside the EU/EEA and the UK if they use a subcontractor in India who can access your personal data at any time. It may be enough for the processor to have a support function located in a country that does not have a sufficient level of protection for personal data for you to have committed a violation of the UK GDPR.

In order to be able to check that the personal data processor adheres to its  promises, it is common for the data controller to be given the opportunity to audit the processor. It is also important to specify the party who will be responsible for any costs incurred by the audit, who may carry out the audit and how often an audit may take place.