What is a data processing agreement and when is it required?

A data processing agreement (DPA) is a contract that regulates personal data processing activities conducted on behalf of a business. Personal data includes any information a business collects from customers that could be used to identify those customers (or “data subjects”), including (but not limited to) their names, phone numbers, or physical addresses, and even biometric data such as an individual’s face, fingerprints, voice, or handwriting.

Data processing is the collection, storing, retrieval, conversion, analysis, and communication of that sensitive information. Companies often hire specialized vendors to do this work for them. A DPA defines the legal obligations between these parties, which are known as “data controllers” and “data processors.”

‍

What are data controllers and data processors?

The party that owns the customer data is the “data controller,” while the party processing the customer data on the controller’s behalf is the “data processor.” A DPA identifies exactly what data the parties will exchange, and defines the scope of what the processor is allowed to do with that processed data.

The agreement further stipulates technical and organizational standards that the controller and processor must follow when exchanging and processing customer data, including how they’ll access and preserve the data, and how the processor will delete or return it after processing.

‍

What is the GDPR?

A wide range of data protection laws have emerged around the world, from the supranational to the municipal level, to promote data security. One of the most prominent is the European Union’s General Data Protection Regulation (GDPR).

Every company that collects information from customers within the EU is subject to the GDPR. The GDPR requires data controllers to tell customers how and when their personal data is being processed. It also contains notification requirements for the event of a data breach.

If a data controller subject to the GDPR hires a third-party processor, the GDPR requires the parties to sign a DPA to govern their relationship and data processing activities. It is crucial for controllers to hold the processors they hire to the same high standards to which they hold themselves regarding customer data — because the GDPR holds the controller liable for any data mishandling on the part of the processor.

‍

Impact of Schrems II and the GDPR on DPAs

“Schrems II” is the name commonly used to refer to the Data Protection Commissioner v. Facebook Ireland Ltd. case decided by the Court of Justice of the European Union in 2020. That decision invalidated the EU-US Privacy Shield Framework that had been established in 2016, on the grounds that the Privacy Shield did not provide sufficient security for data transfers from the EU to the US — even between two companies within the same corporate umbrella.

The practical effect of Schrems II was that the European Commission had to create an updated version of the standard contractual clauses (SCCs) — model data privacy clauses that the Commission had previously “pre-approved” to promote the security of personal data. The Commission finalized the updated SCCs in June 2021.

Accordingly, any DPAs still relying on the previous version of the SCCs are now out of date. Data controllers need to update the standard data privacy language in their DPAs, or risk facing heavy fines and penalties.

‍

What to include in a GDPR-compliant DPA

In order to ensure GDPR compliance, a DPA should include the following (non-exhaustive) information:

• The purpose of the data collection and processing
• How the data will be processed
• The time required to collect and process the data
• How the data will be accessed
• How the data will be encrypted
• The respective responsibilities of the data processor and the data collector

‍

Other developments in the new SCCs

The new SCCs don’t just include a longer checklist of information to include. They also contain improvements meant to resolve gray areas that the old SCCs did not address.

One of the changes in the new SCCs is the creation of a docking clause mechanism that allows the original parties to a DPA to add new parties over time. This development mitigates the prior legal ambiguity regarding data transfers involving more than two parties — for example, when a processor transfers customer data to another processor as a subcontractor.

Legal counsel and compliance officers should be cognizant not only of the minimum standards required by the new SCCs, but also these new mechanisms that can provide greater security and clarity for those who use them.

‍

Learn more about creating compliant DPAs

If your business handles so much as a list of email addresses collected through an electronic form, then you’re handling customers’ personal data. Are you prepared to provide an adequate level of data security to comply with data privacy regulations such as the GDPR? You can learn more about creating a GDPR-compliant DPA and other data-privacy-ready contracts here.