What are the benefits of a Data Processing Agreement (“DPA”)?
We are often asked by our clients about the benefits of using a DPA. We advise that DPAs have a number of critical benefits; first, they are an essential tool for organizations to ensure compliance with data protection laws, such as the General Data Protection Regulation (the “GDPR”), UK’s Data Protection Act 2018, and the California Consumer Privacy Act (the “CCPA”). Second, they help a business protect one of its most valuable assets – personal data. Finally, the use of DPAs by a company demonstrates to the public that the business cares about the personal data it is entrusted with by its customers and business partners for safekeeping.
What is a DPA?
A DPA is a legally binding contract that outlines the roles and responsibilities of both the data controller and data processor in the processing of personal data. Under the GDPR, the data controller is the entity that determines the purposes and means of processing personal data, while the data processor is the entity that processes personal data on behalf of the data controller. Data processing refers to the use of personal data such as its collection, storage, monetization, transfer, sharing, destruction, etc.
By entering into a DPA, both the data controller and data processor demonstrate their commitment to data protection and ensure compliance with applicable laws and regulations. A well-crafted DPA provides a clear and comprehensive framework for the processing of personal data and helps to build trust between the parties involved.
What should be in a DPA?
A well-crafted DPA should set out clear and specific contractual requirements of the data processor such as the implementation of appropriate data security measures, actionable data breach notification procedures, and data controls necessary to ensure that only authorized personnel can access personal data on a need-to-know basis. In addition, a well-developed DPA should include provisions for data subject rights, such as the right to access, rectification, and erasure of personal data. It should also address issues such as data transfers, sub-processing, retention, and destruction.
It is important to note that a DPA is not a one-size-fits-all document. It should be tailored to the specific circumstances and needs of the business. When drafting a DPA, we suggest considering the following key elements:
1. Purpose and Scope: Clearly define the purpose and scope of the DPA, including the categories of personal data that are to be processed, the purposes for which the personal data will be processed, and the duration of such processing.
2. Roles and Responsibilities: Identify the roles of the parties (controller or processor) and the related responsibilities of each. This includes specifying the data controller’s obligations such as its necessary compliance with applicable data protection laws, along with the data processor’s obligations to comply with all the controller’s processing instructions and the processor’s obligation to implement appropriate data security measures
3. Security Measures: Specify the security measures that the data processor must implement to protect personal data. This should include technical and organizational measures, such as encryption, access controls, and regular security audits
4. Data Breach Notification: Set forth any data breach notification procedures that the data processor must follow in the event of a personal data breach. This should include requirements for promptly notifying the data controller of any breaches and cooperating with any related investigations or remedial actions.
5. Sub-Processing: If the data processor intends to engage sub-processors to process personal data on its behalf, include provisions that outline the requirements and conditions for such sub-processing. This may include obtaining the data controller’s prior written consent before selecting a sub-processor, ensuring that any sub-processors are subject to the same data protection obligations as the processor, and providing the data controller with the right to object to the use of specific sub-processors.
6. International Transfers: If personal data will be transferred to countries outside of the European Economic Area (EEA), include provisions that address the requirements for such transfers. This may include ensuring that appropriate safeguards are in place, such as Standard Contractual Clauses or Binding Corporate Rules, to protect personal data.
7. Data Subject Rights: Include provisions that address the data subjects’ rights, such as the right to access, rectify, erase, and restrict the processing of their personal data. This should also include provisions for responding to data subject requests and a requirement on the processor to cooperate with the controller in fulfilling its obligations under applicable data protection laws
8. Audits and Inspections: Specify the rights of the data controller to audit or inspect the data processor’s compliance with the DPA and applicable data protection laws. This should include assurances by the processor that it will provide the controller with all evidence necessary to demonstrate the processor’s continued compliance with the DPA, along with the controller’s right to conduct on-site inspections.
9. Termination and Exit Strategy: Include provisions that address the termination of the DPA and the return or deletion of personal data once the processing activities are completed. This should also include provisions for the data processor to assist the data controller in transferring the personal data to another service provider, if necessary.
10. Governing Law and Jurisdiction: Specify the applicable governing law and jurisdiction for any disputes that may arise under the DPA.
11. Indemnification: Include provisions that outline the data processor’s obligation to indemnify and hold harmless the data controller for any losses, damages, or liabilities arising out of the data processor’s breach of the DPA or applicable data protection laws.
12. Confidentiality: Specify the data processor’s obligation to keep all personal data confidential and to implement appropriate security measures to protect the data from unauthorized access, use, or disclosure.
13. Data Breach Notification: Include provisions that outline the data processor’s obligation to promptly notify the data controller of any data breaches that may impact the security or confidentiality of personal data; and to assist in the notification of affected data subjects where required by law.
14. Liability: Specify the parties’ liability and limitations of liability under the DPA.
15. Dispute Resolution: Include provisions that outline the process for resolving any disputes that may arise under the DPA. This may include requirements for mediation, arbitration, or other alternative dispute resolution methods.
16. Entire Agreement: Include a clause that states that the DPA represents the entire agreement between the parties with respect to the processing of personal data and supersedes any prior agreements or understandings.
It is important to note that the above list is not exhaustive and DPA elements vary depending on the specific circumstances and requirements of the data controller and data processor. For instance, those businesses governed by the GDPR have specific DPA requirements set forth in Article 28, Section 3 to include requirements that:
- the processor can only process personal data pursuant to the documented instructions of the controller,
- any processor employee/agent/representative processing personal data is/are must be under a confidentiality agreement with respect to the processing of personal data,
- the processor must employ all technical and organizational measures necessary to protect the security of the data,
- the processor will not subcontract to any other data processor unless instructed to do so in writing by the controller, in which case another DPA will need to be signed with the sub-processor (pursuant to Sections 2 and 4 of Article 28).
- the processor will help the controller uphold its obligations under the GDPR, particularly concerning data subject access rights,
- the processor will assist the controller with GDPR compliance and specifically with Article 32 (Security of Processing) and Article 36(consultation with the relevant data protection authority before undertaking high-risk processing),
- the processor must agree to delete all personal data upon the termination of services or return the data to the controller, and
- the processor will demonstrate GDPR compliance to the controller by providing the controller with requested compliance evidence to include allowing the controller to conduct audits.
Businesses in the United States must also consider individual state privacy laws like California’s CCPA mentioned above, which requires certain businesses to implement measures to protect consumer personal information. While the CCPA does not explicitly require a data protection agreement, it does mandate that any entity qualifying as a “business” (which “determines the purposes and means of the processing of personal information…“) must have a written contract with any “service provider” (which “processes personal information on behalf of a business…“) that:
- Prohibits the service provider or contractor from selling or sharing personal information,
- Identifies the specific business purpose(s) for which the service provider or contractor is processing personal information and further specify that the business is disclosing the personal information only for the limited and specified business purpose(s) set forth within the contract,
- Prohibits the service provider or contractor from retaining, using, or disclosing the personal information for any purpose other than the business purpose(s) specified in the contract,
- Restricts the service provider or contractor from retaining, using, or disclosing the personal information for any commercial purpose other than the business purposes specified in the contract,
- Prohibits the service provider or contractor from retaining, using, or disclosing personal information outside the direct business relationship between the service provider or contractor and the business. For example, a service provider or contractor is prohibited from combining or updating personal information received from the business with personal information that it received from another source or from its own interaction with the consumer,
- Dictates that the service provider or contractor will comply with the CCPA and any other data protection/privacy laws, including providing the same level of privacy protection as required of the business. For example, the contract may require the service provider or contractor to cooperate with the business in responding to consumers’ requests made pursuant to the CCPA, and to implement reasonable security procedures and practices appropriate to the nature of the personal information necessary to protect the entity from unauthorized or illegal access, destruction, use, modification, or disclosure,
- Grant the business the right to take reasonable and appropriate steps, at its own expense, to ensure that the service provider or contractor uses the personal information in a manner consistent with the business’s obligations under the CCPA. Reasonable and appropriate steps may include ongoing manual reviews and automated scans of the service provider’s system and regular internal or third-party assessments, audits, or other technical and operational testing at least once every 12 months,
- Require the service provider or contractor to notify the business within 48 hours, after it determines it can no longer meet its obligations under the CCPA,
- Grant the business the right, upon notice, to take reasonable and appropriate steps to stop and remediate the service provider or contractor’s unauthorized use of personal information. For example, the business may require the service provider or contractor to provide documentation that verifies that it no longer retains or uses personal information of consumers that have made a valid deletion request, and
- Require the service provider or contractor to enable the business to comply with consumer requests made pursuant to the CCPA or require the business to inform the service provider or contractor of any consumer request made pursuant to the CCPA that they must comply with and provide the information necessary for the service provider or contractor to comply with such request.
By carefully considering and including the provisions outlined above, data controllers and data processors can help establish a clear and legally compliant framework for the processing of personal data. This can help protect the rights and privacy of individuals, while also mitigating the risks and liabilities associated with data processing activities.
Advisori can help. Please go to https://advisori.com/data-protection-agreement-negotiation-services/ to learn more about our DPA Negotiation Services or reach out to us at [email protected].