Data is crucial in most companies as these serve as a basis for internal and external activities. As they are very susceptible to breach that may threaten the business and other third-party attacks, the company must have strong security measures while adhering to the guidelines of the General Data Protection Regulation (GDPR). One of the ways to impose security measures is through the signing of a Data Processing Agreement (DPA).
Personal data include but are not limited to the individual’s name, area of residence, age, date, of birth, and contact information. GDPR is the legislative framework aiming to establish standards for collecting and managing these data through DPA signing.
Data Processing Agreement (DPA) is a legal contract between the data controller and data processor guaranteeing that the data processor will appropriately handle the data provided by the data controller under the rules of GDPR. This states the liabilities and obligations of both the data controller and data processor, the purpose and the extent of data processing, and the relationship between the aforementioned parties.
This may or may not be separate from the primary contract. However, it is a good idea to make it a supplementary document or annex to the primary contract due to its intricacy.
Furthermore, a DPA must be signed if the data processor intends to redistribute to another entity, or the sub-processor, the consumer data. This is to ensure that the entity they chose to work with can provide safe and secure data processing.
All business entities collect and process data as well as exchange these data with other parties. Because of this, DPA needs to be accomplished to ensure that there will be no misuse of personal data. Suppose the data controller shares personal information from an outside source, for instance, an entity that is not part of the European Union (EU). In that case, it is vital that this external source processes data in compliance with the GDPR, which can be done by letting them sign a DPA.
Failure to accomplish DPA may lead to data breach and misuse, posing threats to both the company and the individual who owns the data to be processed.
As the data controller, if you operated under the GDPR and signed the DPA and the third-party entity with whom the data processor shared the personal information happened to mishandle the data, you are offered legal protection through the DPA. This leaves the data processor responsible for the consequences incurred as they failed to follow the procedures.
On the other hand, if you failed to sign the DPA as the data controller, you are held liable for the misuse of data as you didn’t take appropriate data security precautions.
Consequences of both these situations include loss of trust from clients as you leak their personal information and paying a fine according to the guidelines set by the GDPR, depending on the degree and kind of infraction.
The signing of a DPA is a necessity whenever you require another entity to process the data you have obtained as the data controller. It guarantees that both parties will do their tasks under the rules of GDPR to avoid a possible data breach in the future and other anomalies that may endanger the consumer’s personal information.
Sub-processors are entities contracted by the data processor to process the data provided by the data controller. If the data processor utilizes a sub-processor, they must sign a DPA with their sub-processor to safeguard the data that will be processed along with them.
Data processing entails collecting, organizing, sorting, monetizing, and deleting the client’s personal information. This also includes any other actions performed in handling the data which are not mentioned. Since the data to be processed is delicate, the data controller and data processor must adhere to the guidelines of GDPR during data processing.
The data controller obtains, collects, and gathers personal information from the consumers. Along with this, they have the responsibility of ensuring that the rights of these citizens are protected and respected. Moreover, they need to provide instructions for the data processing procedures as well as the conditions to be followed by the data processor.
The data processor, also known as the data importer, handles the data obtained by the data controller. They are only permitted to perform and process the personal information that the contract with the data controller allows them. Moreover, the data processor has no right to use sub-processors without prior consultation and consent from the data controller. Duties and obligations of the data processor consist of, but are not limited to the following:
– Return or destroy the processed data to the data controller when their duties are no longer required depending on the preference of the data controller.
– Inform potential data breaches to the data controller as soon as possible.
– Be held liable along with the data controller in the event of a data breach.
– Notify the data controller of the violations in the GDPR upon the data processing.
– Maintain the rights of the clients along with the data controller.
– Allow the data controller to conduct GDPR compliance audits.
A few data processors utilize sub-processors that assist in processing the data, following the GDPR rules and regulations. As mentioned above, the data processor is prohibited from using sub-processors without the authorization and approval of the data controller.
The DPA has no specific format though its content should cover Articles 28 (Processor) throughout Article 36 (Prior Consultation) of the GDPR. In most countries, DPA is not legally required but strongly recommended in contrast with European countries that legally require DPA.
Signing a DPA before the data processing is crucial so that both parties recognize their roles and obligations. Furthermore, it will protect the business entity and the welfare of the consumers who shared their data.
The sections that must be included and stated in the DPA are the following:
The General clauses section includes the terms and conditions of the contract upon the agreement of both parties. This shall entail all the activities required to process the data to be provided by you (the data controller), the owner of the data to be processed, for instance, patients, insurance clients, and employees, the type of data to be processed, for example, demographic information or IP addresses, and the conditions for the termination of the contract.
The Obligations of the data controllers section shall include all the duties and responsibilities of the data controller according to Article 24 of the GDPR, which are as follows:
Meanwhile, the Obligations of the data processor section that shall be entailed in the DPA as stated in Section III of Article 28 (Processor) of the GDPR as follows:
The Technical and organizational measures section shall include all the precautionary and security measures the data controller shall execute in handling the personal data to avoid third-party attacks and data breaches. It is recommended to include this section in the annex of the contract. According to Article 32 of the GDPR or the Security of Processing, the measures that should be implemented are as follows:
The Sub-contractual relationships section would include the terms and conditions if the processor opted to use a sub- processer in the processing of the data. It is recommended to include the list of the sub-processors in the annex of the contract. This section shall include the following obligations:
The Final clauses section consists of other necessary information and shall state that both parties must agree to any modifications of the contract.
Lastly, the annexes section shall include the contractual agreements such as the technical and organizational measures and a list of sub-processors.
Authorities levy fines and penalties to entities, be it small-scale or large-scale, who failed to secure or violate a DPA. There are two levels of penalties depending on the extent and type of offense. GDPR guidelines for data processor infractions which generally come under the first tier, impose €10 million or 2% of the company’s global revenue. For other violations, these can range up to €20 million or 4% of the company’s global revenue.
Knowledge - 05 July 2022 | By TermsHub
