On the third anniversary of the General Data Protection Regulation, Cooley launched a series of webinars focused on the GDPR.
A data processing agreement (DPA) is used by controllers and processors to formalize their data process arrangements as required by the GDPR. Our third webinar covers what we believe are the 10 most important considerations for organizations when it comes to DPAs.
#1: What is a DPA?
A DPA is a binding contract between the controller and processor that details the data processing arrangements between the parties and is required by Article 28 of the GDPR. A processor has an additional obligation, if it is subcontracting the data processing arrangements: It must flow down the data processing terms that it has in place with the controllers in the agreements with the sub-processors.
A DPA is usually a standalone document, but it can be included as an addendum to a business contract.
#2: Whose responsibility is it to ensure that a Controller to Processor (C2P)DPA is put in place?
The European Data Protection Board makes clear that it is an obligation on both controllers and processors to put a DPA in place, and the guidelines for controllers and processors specify that supervisory authorities can impose fines if the processors and controllers fail to have a DPA.
#3: Is there a standard form of C2P DPA?
The European Commission has published a new set of standard contractual clauses (SCCs) that basically function as a DPA template, but their use is not mandatory. Organizations wanting to use them may find that they need to supplement them with additional commercial terms.
#4: What is “market” in terms of limitations on liability under C2P DPAs?
Unfortunately, there is not a one size fits all in relation to liability clauses. The market is not mature enough, and this is probably why it is typical to see unlimited liability clauses and regular caps, super caps with specific figure or multiples, and indemnities (e.g., in the case of data breaches).
#5: What (if any) obligations should controllers be subject to under C2P DPAs?
Although most of the obligations on DPAs are for processors, it is common to see obligations on data controllers, for example, to issue instructions compliant with the GDPR. If the nature of the processing activity involves access to the controller’s system, it is important to have an obligation that the controller maintains adequate security measures and makes it clear who is responsible for putting those security measures in place.
#6: How much detail should be included with respect to the processor’s security requirements in a C2P DPA?
The security measures need to be described in detail to allow the controller to assess whether they are accurate. Processors can’t make any changes to the security measures without the controller’s approval.
#7: How can processors better streamline the engagement of sub-processors under DPAs?
To better streamline engagement with sub-processors, it is recommended that processors have a template DPA and flow down the data obligations from the controller DPA to the sub-processors, as it is critical that the obligations on both DPAs are aligned.
#8: How can processors limit the potential cost of compliance with audit requirements under DPAs?
The GDPR gives controllers the right to carry out audits to check if the processor is complying with its obligations. One way of narrowing this requirement as a processor is to provide the controller with the processor’s audit reports or certificates showing its compliance with, for example, the agreed-upon security measures.
#9: What does a processor need to do in the event of a personal data breach?
In the event of a personal data breach, processors need to notify controllers without undue delay and provide information needed for the controllers to assess whether to notify the competent supervisory authority about the breach.
#10: What effect (if any) has Brexit had on the drafting of DPAs?
We now have two legal frameworks for the processing of personal data: the EU GDPR and the UK GDPR. As such, when drafting the DPA, both frameworks need to be taken into consideration.