What is a GDPR Data Processing Agreement (DPA)?

In 2016, the European Union (EU) approved the General Data Protection Regulation (GDPR), a legal framework that establishes guidelines for collecting and processing EU citizens’ personal information. Implemented two years later, the GDPR’s main goal is to increase individuals’ control and rights over their personal data by setting standards for accountability, security, and transparency in using private data.

Complying with the GDPR requires all companies operating in the EU to apply policies, processes, and practices for managing the personal data of customers, users, and employees. One of these practices is implementing a data processing agreement (DPA), a legally binding document regulating personal data processing for business purposes.

A data processing agreement (DPA) is a contract between a business (a data controller) and a service provider (a data processor), meant to ensure compliance with the GDPR. It stipulates the nature, purpose, and duration of data processing activities related to the main agreement between both sides.

What is a DPA under GDPR compliance?

According to article 28 of the GDPR, a DPA must be concluded when a company allows a service provider to process the personal data of its customers, users, or employees.

The DPA regulates under which conditions processing of personal data may take place, prohibits service providers from using the data for their own purposes, and ensures the protection of the data with appropriate measures.

Why do companies need a DPA?

Under the GDPR, signing a DPA is mandatory whenever a data controller (a company) engages a data processor (service provider).

Today, running a business without having personal data processed by a third-party service provider is virtually impossible. Typical business services requiring data processing include email providers, software-as-a-service solutions for payroll and HR functions, and data backup services. Signing a DPA with each third-party service provider allows data controllers to protect their users’, clients’, or employees’ personal data and ensures compliance with the law.

It’s important to note that a DPA is required any time a company processes individuals’ personal data in the EU via a third-party service provider – even if the company itself doesn’t have a legal entity in the EU. For example, if rollingstone.com uses an external quiz tool in its articles, it must sign a DPA with the company that provides the tool (a data processor), as some of its users are in the EU.

Does a DPA have to be a separate document?

There is no legal requirement stipulating that a DPA must be a separate document, which means that the data controller and data processor can integrate the DPA into a more comprehensive contract. However, due to the complexity of the topic, the DPA usually appears as an annex to the main agreement.

What should be included in a DPA agreement?

General Clauses

This part details the subject of the agreement; the scope, nature, and duration of data processing; and the type of data that will be processed. In addition, it defines the data subjects (customers, users, or employees), how and where data is stored, and under which conditions the contract can be terminated.

Data Controller Responsibilities

Data controllers are responsible for establishing a legal data process, ensuring the data subjects’ rights, collecting consent and requests from data subjects, issuing instructions about data processing, dictating how and where the processor handles and stores the data, and assigning employees as points of contact.

Data Processor Responsibilities

The DPA regulates the relationship between the data controller and the data processor, including detailing the responsibilities of the data processor. Chief among these responsibilities are:

• Maintaining adequate information security
• Keeping records of all processing activities
• Processing data subjects’ requests
• Providing opportunities for audits
• Reporting data breaches as soon as they become aware of them
• Cooperating with authorities in the event of an inquiry
• Deleting or returning all personal data at the end of the contract

Technical and Organizational Measures

This section outlines the technical and organizational measures that will be taken to protect the data subjects’ personal information, facilitate compliance, and eliminate data breaches. These measures include cybersecurity systems, encryption and pseudonymization, appropriate disposal policies, access rights, employee training, audits, reviews, and more. Given the complexity of some of the measures, it’s recommended to detail them in a separate annex to the agreement.

Sub-contractual Responsibilities

If a processor intends to use sub-processors – service providers that process data on behalf of the processor – a section reviewing sub-contractual relationships must be part of the DPA. It’s important to note that the data processor must receive written consent from the controller to utilize each sub-processor.

Once the controller approves the sub-processors, the processor needs to provide an agreement with the sub-processor, imposing the requirements of a DPA under GDPR compliance. Listing the sub-processors in a separate annex to the contract is recommended.

Final Clauses

The final clauses should state that the DPA supersedes any other contracts between the data controller and the data processor, and that both parties must accept any changes to the DPA.

Annexes

The most common annexes to a DPA are technical and organizational measures, and a list of sub-processors.

Who constitutes a data controller? 

The defining attribute of a data controller is decision-making power. The data controller is the organization that determines the purposes for which personal data is processed, what type of data is processed, and how the data is processed. Ultimately, the data controller is responsible for protecting the privacy and rights of the data’s subject.

Who constitutes a data processor?

A data processor is a third-party service provider that processes personal data on behalf of a data controller. The data processor does not control the data that it processes, and is bound by the instructions it receives from the data controller. While data processors do not have the same level of compliance responsibilities, they are obligated to take the necessary measures to ensure that personal data is processed in line with the GDPR.

What is an inter-company DPA? 

Since Papaya has entities globally (US, Netherlands, Australia, etc) and it provides its services through these entities, which participate in processing personal information. The entities are not 3^rd parties, but sub-processors within the Papaya company group and are part of the data processor’s network.

In cases like these, since the GDPR does not recognize separate companies as one legal entity, the data controller and data processor sign an inter-company DPA. Like any other DPA, it outlines the responsibilities of the data processor and ensures all the entities in the data processor’s network meet GDPR standards.

DPA: important resources

• ICO: What needs to be included in a DPA
• European Union: Example of a data processing agreement
• UK Gov: Approval standards and guidelines: engaging a data processor
• European Union: GDPR
• UN Law: GDPR personal data

What measures should be taken in case of a data breach? 

According to article 33 of the GDPR, if a data breach occurs, the company whose data was compromised must notify a Data Protection Authority within 72 hours of becoming aware of the breach.

If the breach poses a high risk to the individuals whose data was exposed, the organization must notify them as well. However, having specific technical and organizational measures in place may deem this notification unnecessary.

If a data processor becomes aware of the breach first, it must inform the data controller and cooperate with the relevant Data Protection Authority.

What are the penalties for failing to comply with GDPR? 

Failing to comply with GDPR may result in the following penalties:

• A formal reprimand
• A temporary or permanent ban on data processing
• Lower-tier fines (for lower-level GDPR violations) of up to €10 million or 2% of the company’s total global turnover of the preceding fiscal year, whichever is higher.
• Higher-tier fines (for especially severe violations) of up to €20 million or 4% of the company’s total global turnover of the preceding fiscal year, whichever is higher.

The three largest GDPR non-compliance penalties to date were issued to Amazon (€746 million), WhatsApp (€225 million), and Google (€150 million).

How to become DPA compliant

1. Consult with a Data Protection Authority
   Data Protection Authorities are independent public authorities appointed to implement and enforce data protection laws, and offer guidance and advice to companies on all data protection matters – including data protection agreements.
2. Work with professionals
   Whether you’re employing an email provider, a software-as-a-service solution for payroll and HR functions, or a data backup service – they must meet the highest standards for data security. That includes responding quickly to personal data requests, providing opportunities for audits, and having in-house experts who can answer every compliance-related question.
   This is highly important once you are working with sensitive data such as employee data, and payroll payments. Here is a guide for the full requirements of keeping payroll security measures.
3. Make sure your software meets ISO and SOC requirements
   ISO (International Organization for Standardization) is the highest standard for information security, providing the framework for identifying information security risks. ISO 27001 is the world’s best-known standard for information security management systems (ISMS) and their requirements. Additional best practices in data protection and cyber resilience are covered by more than a dozen standards in the ISO 27000 family.
   SOC (System and Organization Controls) is a suite of reports published by the American Institute of Certified Public Accountants (AICPA). The main SOC report relevant to data security, processing integrity, confidentiality, and privacy is SOC 2.
4. Manage your data correctly
   Managing your data correctly means using the strictest data security measures (end-to-end encryption, network segregation, secure data transfer), physical security measures (role-based access control, biometric access, security cameras), and smart network security (firewall protection, extensive monitoring via AWS tower).

Professional Data Protection

Here at Papaya Global, we pride ourselves on having the highest standards for the most sensitive data. Our cloud-based solutions protect personal information by meeting every standard set by GDPR, and our in-house privacy team provides guidance on all data protection matters.