Articles
July 3, 2023
The data analytics market is projected to surpass $105 billion by 2027 as businesses continue to understand its potential to improve efficiency and productivity. Your company is likely involved in data processing on some level or will be soon.
When you involve another party, a data processing agreement (DPA) becomes your first line of defense for protecting your company’s interests. In regions like the EU, a DPA is a regulatory requirement. Learn the ins and outs of DPAs with our guide and consider where they fit in your broader contract lifecycle management.
Key Takeaways
The General Data Protection Regulation (GDPR) is an EU law that outlines the obligations of companies and organizations engaged in data processing. The broad purpose of the GDPR is to establish proper standards and requirements for data processing activities to protect the rights and privacy of individuals’ personal information. A basic component of GDPR compliance is having a written DPA with your data processors.
The GDPR distinguishes two levels of violations, each with its own potential penalties. The less severe level concerns non-compliance related to the controller-processor relationship, certification bodies, and monitoring bodies. Penalties for this violation level could be the higher of 10 million euros or two percent of the company’s global annual revenue from the last year.
The second, more serious, violation level includes, for example:
Fines for this level are the higher of 20 million euros or four percent of the company’s global annual revenue.
Image from https://www.jdsupra.com/legalnews/cybersecurity-a-top-legal-industry-6481896/
Generally, the DPA involves the data controller and the third-party data processor. The data controller – the party in possession (i.e., custodian) of personal information – transfers the data to a processor for processing activities. While these are the main parties in a DPA, the contract could also mention non-parties, such as the customers of the data controller (i.e., data subjects), related parties of the data processor, and governing bodies responsible for compliance enforcement.
Under the GDPR, “data processing” is a broad term encompassing any action you could take with someone’s personal data, including collection, storage, aggregation, analysis, sale, transfer, or destruction. Whenever you share personal data with a third party, a DPA is likely useful, whether you are the data controller or processor. While DPAs are essential for companies operating in the EU, they are useful worldwide, protecting your company’s interests when managing personal data.
DPAs typically involve the following key terms, which could be distilled into separate sections and subsections within the agreement.
The scope of the data processing performed under the DPA is the primary concept of your contract. As a service contract, it should reflect an exchange of the controller’s consideration (e.g., cash, access, or another property) for the processing servicing.
This section should clearly detail the nature of the data provided by the controller and outline what the processor agrees to do with it. It is also where the data processor would disclose any use of a sub-processor to assist in the scope of work. Your DPA should also state the duration of the data processing relationship. For example, a one-time project, ongoing, or a fixed term with renewal options.
Image from https://www.gdprregister.eu/gdpr/records-of-processing-activities/
Beyond the scope of data processing, the DPA should consider ancillary duties that may arise for both parties as part of their GDPR compliance obligations. For the duration of the DPA, the data controller is responsible for ensuring lawful protection of the data subjects’ rights. As a part of protecting the data subjects, the controller generally determines the instructions for how the processor will handle the data.
The DPA should also state the data processor’s key obligations. These include, for example, promises to:
The data controller’s instructions for data processing should detail some of the technical aspects of the work to protect the security and integrity of the system. This might include confidentiality agreements with those working on the project, verification steps to ensure compliance, and requirements for the hardware and software used.
Like any contract, the DPA should include standard terms that are essential for successful management of the agreement. Common examples could include assignment and assumption rights, conflict resolution process, governing law, and others.
DPAs are a critical contract form for any business that collects data and shares it with another party for processing. In certain locations, like the EU, they are an important part of compliance with regulatory laws. Depending on your company’s operations, several different types of DPAs could be necessary, and integration into your CLM could be useful for ensuring compliance and mitigating outside risk.
Contact our representatives about building your CLM for data processing agreements.