What is a GDPR Data Processing Agreement (DPA)?
Erez Greenberg| Dec 27, 2022
In 2016, the European Union (EU) approved the General Data Protection Regulation (GDPR), a legal framework that establishes guidelines for collecting and processing EU citizens’ personal information. Implemented two years later, the GDPR’s main goal is to increase individuals’ control and rights over their personal data by setting standards for accountability, security, and transparency in using private data.
Complying with the GDPR requires all companies operating in the EU to apply policies, processes, and practices for managing the personal data of customers, users, and employees. One of these practices is implementing a data processing agreement (DPA), a legally binding document regulating personal data processing for business purposes.
A data processing agreement (DPA) is a contract between a business (a data controller) and a service provider (a data processor), meant to ensure compliance with the GDPR. It stipulates the nature, purpose, and duration of data processing activities related to the main agreement between both sides.
What is a DPA under GDPR compliance?
According to article 28 of the GDPR, a DPA must be concluded when a company allows a service provider to process the personal data of its customers, users, or employees.
The DPA regulates under which conditions processing of personal data may take place, prohibits service providers from using the data for their own purposes, and ensures the protection of the data with appropriate measures.
Why do companies need a DPA?
Under the GDPR, signing a DPA is mandatory whenever a data controller (a company) engages a data processor (service provider).
Today, running a business without having personal data processed by a third-party service provider is virtually impossible. Typical business services requiring data processing include email providers, software-as-a-service solutions for payroll and HR functions, and data backup services. Signing a DPA with each third-party service provider allows data controllers to protect their users’, clients’, or employees’ personal data and ensures compliance with the law.
It’s important to note that a DPA is required any time a company processes individuals’ personal data in the EU via a third-party service provider – even if the company itself doesn’t have a legal entity in the EU. For example, if rollingstone.com uses an external quiz tool in its articles, it must sign a DPA with the company that provides the tool (a data processor), as some of its users are in the EU.
Does a DPA have to be a separate document?
There is no legal requirement stipulating that a DPA must be a separate document, which means that the data controller and data processor can integrate the DPA into a more comprehensive contract. However, due to the complexity of the topic, the DPA usually appears as an annex to the main agreement.
What should be included in a DPA agreement?
This part details the subject of the agreement; the scope, nature, and duration of data processing; and the type of data that will be processed. In addition, it defines the data subjects (customers, users, or employees), how and where data is stored, and under which conditions the contract can be terminated.
Data Controller Responsibilities
Data controllers are responsible for establishing a legal data process, ensuring the data subjects’ rights, collecting consent and requests from data subjects, issuing instructions about data processing, dictating how and where the processor handles and stores the data, and assigning employees as points of contact.
Data Processor Responsibilities
The DPA regulates the relationship between the data controller and the data processor, including detailing the responsibilities of the data processor. Chief among these responsibilities are:
- Maintaining adequate information security
- Keeping records of all processing activities
- Processing data subjects’ requests
- Providing opportunities for audits
- Reporting data breaches as soon as they become aware of them
- Cooperating with authorities in the event of an inquiry
- Deleting or returning all personal data at the end of the contract
Technical and Organizational Measures
This section outlines the technical and organizational measures that will be taken to protect the data subjects’ personal information, facilitate compliance, and eliminate data breaches. These measures include cybersecurity systems, encryption and pseudonymization, appropriate disposal policies, access rights, employee training, audits, reviews, and more. Given the complexity of some of the measures, it’s recommended to detail them in a separate annex to the agreement.
If a processor intends to use sub-processors – service providers that process data on behalf of the processor – a section reviewing sub-contractual relationships must be part of the DPA. It’s important to note that the data processor must receive written consent from the controller to utilize each sub-processor.
Once the controller approves the sub-processors, the processor needs to provide an agreement with the sub-processor, imposing the requirements of a DPA under GDPR compliance. Listing the sub-processors in a separate annex to the contract is recommended.
The final clauses should state that the DPA supersedes any other contracts between the data controller and the data processor, and that both parties must accept any changes to the DPA.
The most common annexes to a DPA are technical and organizational measures, and a list of sub-processors.
Who constitutes a data controller?
The defining attribute of a data controller is decision-making power. The data controller is the organization that determines the purposes for which personal data is processed, what type of data is processed, and how the data is processed. Ultimately, the data controller is responsible for protecting the privacy and rights of the data’s subject.
Who constitutes a data processor?
A data processor is a third-party service provider that processes personal data on behalf of a data controller. The data processor does not control the data that it processes, and is bound by the instructions it receives from the data controller. While data processors do not have the same level of compliance responsibilities, they are obligated to take the necessary measures to ensure that personal data is processed in line with the GDPR.
What is an inter-company DPA?
Since Papaya has entities globally (US, Netherlands, Australia, etc) and it provides its services through these entities, which participate in processing personal information. The entities are not 3rd parties, but sub-processors within the Papaya company group and are part of the data processor’s network.
In cases like these, since the GDPR does not recognize separate companies as one legal entity, the data controller and data processor sign an inter-company DPA. Like any other DPA, it outlines the responsibilities of the data processor and ensures all the entities in the data processor’s network meet GDPR standards.
DPA: important resources
- ICO: What needs to be included in a DPA
- European Union: Example of a data processing agreement
- UK Gov: Approval standards and guidelines: engaging a data processor
- European Union: GDPR
- UN Law: GDPR personal data
What measures should be taken in case of a data breach?
According to article 33 of the GDPR, if a data breach occurs, the company whose data was compromised must notify a Data Protection Authority within 72 hours of becoming aware of the breach.
If the breach poses a high risk to the individuals whose data was exposed, the organization must notify them as well. However, having specific technical and organizational measures in place may deem this notification unnecessary.
If a data processor becomes aware of the breach first, it must inform the data controller and cooperate with the relevant Data Protection Authority.
What are the penalties for failing to comply with GDPR?
Failing to comply with GDPR may result in the following penalties:
- A formal reprimand
- A temporary or permanent ban on data processing
- Lower-tier fines (for lower-level GDPR violations) of up to €10 million or 2% of the company’s total global turnover of the preceding fiscal year, whichever is higher.
- Higher-tier fines (for especially severe violations) of up to €20 million or 4% of the company’s total global turnover of the preceding fiscal year, whichever is higher.
The three largest GDPR non-compliance penalties to date were issued to Amazon (€746 million), WhatsApp (€225 million), and Google (€150 million).
How to become DPA compliant
- Consult with a Data Protection Authority
Data Protection Authorities are independent public authorities appointed to implement and enforce data protection laws, and offer guidance and advice to companies on all data protection matters – including data protection agreements.
- Work with professionals
Whether you’re employing an email provider, a software-as-a-service solution for payroll and HR functions, or a data backup service – they must meet the highest standards for data security. That includes responding quickly to personal data requests, providing opportunities for audits, and having in-house experts who can answer every compliance-related question.
This is highly important once you are working with sensitive data such as employee data, and payroll payments. Here is a guide for the full requirements of keeping payroll security measures.
- Make sure your software meets ISO and SOC requirements
ISO (International Organization for Standardization) is the highest standard for information security, providing the framework for identifying information security risks. ISO 27001 is the world’s best-known standard for information security management systems (ISMS) and their requirements. Additional best practices in data protection and cyber resilience are covered by more than a dozen standards in the ISO 27000 family.
SOC (System and Organization Controls) is a suite of reports published by the American Institute of Certified Public Accountants (AICPA). The main SOC report relevant to data security, processing integrity, confidentiality, and privacy is SOC 2.
- Manage your data correctly
Managing your data correctly means using the strictest data security measures (end-to-end encryption, network segregation, secure data transfer), physical security measures (role-based access control, biometric access, security cameras), and smart network security (firewall protection, extensive monitoring via AWS tower).
Professional Data Protection
Here at Papaya Global, we pride ourselves on having the highest standards for the most sensitive data. Our cloud-based solutions protect personal information by meeting every standard set by GDPR, and our in-house privacy team provides guidance on all data protection matters.
Is a data processing agreement necessary?
Yes. If your company is subject to the GDPR, you must have a DPA in place with all your data processors.
When is a data processing agreement required?
Under the GDPR, a DPA is required whenever a company processes individuals’ personal data in the EU via a third-party service provider.
Can you delete customer data under GDPR?
Yes. According to article 17 of the GDPR, customers have the right to demand the erasure of their personal data from controllers, known as “the right to be forgotten.” The right to be forgotten applies if the customer’s data was processed unlawfully, if it’s no longer necessary for the purpose of the processing, or if the customer withdraws their consent.
Are employee personal records considered private data?
Yes. An employee personnel file contains private information, such as salary, bank account details, and, in some cases, medical conditions. It is considered confidential information that requires special protection.
Who is responsible for the data processing agreement?
As the controller is responsible for ensuring the data subjects’ rights and the protection of personal information, it is also responsible for making sure a legally binding DPA is in place.
Does GDPR require a data processing agreement?
Yes. According to article 28 of the GDPR, the processing of personal data must be governed by a contract that “sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects.”