A data processing agreement (DPA) or data processing addendum is a legally binding document that describes an arrangement between two organizations where one instructs the other to perform information operations on their behalf. For example, in the context of payroll, an employer may instruct a third-party Human Resources company each month to pay their employees on their behalf. In the context of telecoms, an organization may instruct a telecom service provider to route calls, messages, or data traffic through their network. And in the context of pension funds, a pension fund may instruct an outsourced administration company to administer members’ benefits and payments on their behalf.

A data processing agreement almost always entails a third party processing people’s personal data. For this reason, data protection agencies generally have strict rules governing data processing agreements. These agreements are either between a controller (typically a company) and a processor (typically a third-party service provider), which is the most common form or between a processor (third-party service provider) and a sub-processor (typically another third-party service provider or an outside contractor), sometimes referred to as a sub-processing agreement.

If you are unsure whether you need a data processing agreement, you most likely do and there could be dire consequences for not having one.

‍

Why is a Data Processing Agreement Important?

Data processing agreements are important because data protection laws generally require an agreement whenever a controller instructs a processor or whenever a processor instructs a subprocessor.

There may be severe consequences for instructing a controller or processor if they fail to have a data processing agreement in place. For instance, some organizations have received monetary fines too great to recover from.

It’s important for an organization to understand data processing agreements regardless of what activities are happening within the processing chain because data process agreements affect your organization at all levels. For example, if you are subprocessor, the agreement between the controller and processor will get passed to you by a sub-process review, so it is still going to affect you regardless of what role you plain the chain.

‍

How Do You Benefit From Having a Data Processing Agreement?

Having a data processing agreement (DPA) is a legal requirement. Data protection laws generally require a controller to have a DPA in place whenever they use a processor and whenever the same processor uses a subprocessor. Without a DPA in place, you could receive fines from regulatory authorities if they deem one was required. The data processing agreement protects the interests of all the parties involved by making sure each organization in the processing chain operates in compliance with relevant data protection laws and holds up its end of the bargain.

Data processing agreements help organizations meet certain minimal requirements for inclusion and protect data subjects through a system of checks and balances between the controller and processor or the processor and the sub-processor.

DPAs can also help you with information security. Many companies use third-party services to respond to data breaches, leaks, or other instances quickly, comprehensively and effectively. Without the necessary paperwork to get immediate assistance from your processors or sub-processors, your company may not be able to perform the necessary actions to stick to certain information security requirements.

‍

What Should Be Included in a Data Processing Agreement?

You can find and download many different examples and templates of data processing agreements online. It’s important that your DPA include the following components:

• The subject matter and duration of the processing
• The nature and purpose of the processing
• The type of personal data and data subject categories
• The controller’s obligations and rights

‍

Data Processing Agreement and GDPR

The General Data Protection Regulation (GDPR) is considered the toughest privacy and security law in the world and determines what companies can do with people’s data in Europe. Companies like Amazon, WhatsApp, Google, and Facebook have already been fined over $1 billion collectively for not fully complying with GDPR regulations.

GDPR requires a data controller and a data processor to have a contract in place when data processing occurs. To satisfy this GDPR requirement, companies can create a data processing agreement (DPA) to document how personal data will be processed. The DPA should include the following:

• The type of personal data that is processed
• The duration of the information is processed
• The nature and purpose of the processing
• The controller’s obligations and responsibilities
• The processor’s obligations and responsibilities

Requirements for the data processor will also be included in the DPA such as:

• Following the controller’s instructions
• Keeping data confidential and secure
• Data breach notifications
• Ensuring compliance from all parties
• Allowing controller audits

‍

How to Draw Up a Data Processing Agreement?

The controller often draws up the DPA to make sure the processor handles the controller’s data properly, but that doesn’t always have to be the case. There are benefits for a processor or even a sub-processor to bring their own DPA themselves.

‍

If you can’t decide whether you’re a controller or processor, or need any assistance in drafting up a data processing agreement, contact Evisort here for assistance.