Articles

The Ins and Outs of a Data Processing Agreement (DPA)

July 3, 2023

Solution

Market Insights

Members of a legal team meet with their company’s stakeholders to review their data processing agreements and discuss regulatory compliance.

The data analytics market is projected to surpass $105 billion by 2027 as businesses continue to understand its potential to improve efficiency and productivity. Your company is likely involved in data processing on some level or will be soon.

When you involve another party, a data processing agreement (DPA) becomes your first line of defense for protecting your company’s interests. In regions like the EU, a DPA is a regulatory requirement. Learn the ins and outs of DPAs with our guide and consider where they fit in your broader contract lifecycle management.

Key Takeaways

  • The EU’s General Data Protection Regulation (GDPR) imposes many requirements on companies that share and process personal data, and a DPA is the first step in outlining compliance.
  • DPAs are useful for any data processing activity, including collection, storage, and analysis.
  • Your DPAs should carefully outline the scope of the processing, the obligations of the parties, and the technical requirements of the work performed.

The GDPR and Its Authority Over Data Processing Activities in the European Union

The General Data Protection Regulation (GDPR) is an EU law that outlines the obligations of companies and organizations engaged in data processing. The broad purpose of the GDPR is to establish proper standards and requirements for data processing activities to protect the rights and privacy of individuals’ personal information. A basic component of GDPR compliance is having a written DPA with your data processors.

Penalties for GDPR Non-Compliance

The GDPR distinguishes two levels of violations, each with its own potential penalties. The less severe level concerns non-compliance related to the controller-processor relationship, certification bodies, and monitoring bodies. Penalties for this violation level could be the higher of 10 million euros or two percent of the company’s global annual revenue from the last year.

The second, more serious, violation level includes, for example:

  • Obtaining proper consent to justify processing a person’s data.
  • Respecting individual rights pertaining to the processing of their data (e.g., accessing copies, transferring data).
  • The manner of the data processing.
  • Violation of member state laws.

Fines for this level are the higher of 20 million euros or four percent of the company’s global annual revenue.

DPAs are useful in managing the cybersecurity priorities of GCs, including privacy policies and encryption.

Image from https://www.jdsupra.com/legalnews/cybersecurity-a-top-legal-industry-6481896/

Who Are the Parties in a Data Processing Agreement?

Generally, the DPA involves the data controller and the third-party data processor. The data controller – the party in possession (i.e., custodian) of personal information – transfers the data to a processor for processing activities. While these are the main parties in a DPA, the contract could also mention non-parties, such as the customers of the data controller (i.e., data subjects), related parties of the data processor, and governing bodies responsible for compliance enforcement.

When Might You Need a Data Processing Agreement?

Under the GDPR, “data processing” is a broad term encompassing any action you could take with someone’s personal data, including collection, storage, aggregation, analysis, sale, transfer, or destruction. Whenever you share personal data with a third party, a DPA is likely useful, whether you are the data controller or processor. While DPAs are essential for companies operating in the EU, they are useful worldwide, protecting your company’s interests when managing personal data.

Key Terms to Consider for Your Data Processing Contracts

DPAs typically involve the following key terms, which could be distilled into separate sections and subsections within the agreement.

Scope of Data Processing

The scope of the data processing performed under the DPA is the primary concept of your contract. As a service contract, it should reflect an exchange of the controller’s consideration (e.g., cash, access, or another property) for the processing servicing.

This section should clearly detail the nature of the data provided by the controller and outline what the processor agrees to do with it. It is also where the data processor would disclose any use of a sub-processor to assist in the scope of work. Your DPA should also state the duration of the data processing relationship. For example, a one-time project, ongoing, or a fixed term with renewal options.

Key aspects a DPA should address include the nature of the personal data, the lawful processing purpose, and the security measures in place.

Image from https://www.gdprregister.eu/gdpr/records-of-processing-activities/

Obligations of the Data Controller and Data Processor

Beyond the scope of data processing, the DPA should consider ancillary duties that may arise for both parties as part of their GDPR compliance obligations. For the duration of the DPA, the data controller is responsible for ensuring lawful protection of the data subjects’ rights. As a part of protecting the data subjects, the controller generally determines the instructions for how the processor will handle the data.

The DPA should also state the data processor’s key obligations. These include, for example, promises to:

  • Safeguard the data with proper information security protocols.
  • Report data breaches.
  • Keep adequate records.
  • Allow inspection and audit of records in case of an audit or investigation with authorities.
  • Return or delete data when the DPA ends.

Technical Specifications for Data Processing

The data controller’s instructions for data processing should detail some of the technical aspects of the work to protect the security and integrity of the system. This might include confidentiality agreements with those working on the project, verification steps to ensure compliance, and requirements for the hardware and software used.

Other General Terms of a DPA

Like any contract, the DPA should include standard terms that are essential for successful management of the agreement. Common examples could include assignment and assumption rights, conflict resolution process, governing law, and others.

Consult Our CLM Team About Managing Your DPAs and Related Compliance

DPAs are a critical contract form for any business that collects data and shares it with another party for processing. In certain locations, like the EU, they are an important part of compliance with regulatory laws. Depending on your company’s operations, several different types of DPAs could be necessary, and integration into your CLM could be useful for ensuring compliance and mitigating outside risk.

Contact our representatives about building your CLM for data processing agreements.