In this series of blog posts, we will delve deeper into data processing agreements (DPAs) and the elements companies need to consider when drafting or reviewing them. In our first blogpost, we will showcase the essential elements a DPA needs to include, according to the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP). In the second blog post, we will discuss typical clauses and pitfalls and show you how to formulate useful additions to your DPA.
A DPA is crucial for ensuring compliance with data protection regulations. It establishes the terms and conditions when sharing personal data with external service providers, ensures data security and clarifies responsibilities in the processing of personal data.
When do I need a DPA?
Adopting a DPA is necessary whenever a company engages a service provider for the processing of personal data on its behalf. In simple terms, every time a company engages another company for data processing purposes on its behalf (e.g. when personal data is transferred to a service provider) a DPA or equivalent contractual arrangements are most of the time needed for data protection compliance.
In this sense, the primary objective of a DPA is to set out the rules on which basis data is shared and provide concrete assurances regarding the implementation of robust technical and organizational measures.
Typical examples for the use of service providers that require a DPA are:
- Software as a Service solutions (SaaS) such as marketing, newsletter, or accounting tools;
- Cloud-based CRM tools and hosting services;
- External payroll and customer service centers;
- External maintenance of servers and computers;
- External agencies in sales, marketing or HR if they have access to your company’s personal data.
You typically do not need a DPA under the following circumstances:
- Working with professionals bound to confidentiality by law such as lawyers, auditors, and external company doctors;
- Involving debt collection agencies with the assignment of debts;
- Using banking service providers for money transfers or postal services for the transport of letters or goods.
Types of relationships regulated under a DPA
It is important to understand the types of relationships that can be regulated under a DPA, and the different roles companies can take when sharing personal data with third parties. DPAs can basically regulate two types of relationships:
- Controller – processor relationship: This relationship arises when a company (the controller) engages a third-party service provider (the processor) to handle data processing activities on its behalf and in accordance with its instructions, for instance, if a company outsources its payroll processing to an external service provider.
- Processor – sub-processor relationship: In some cases, a processor may engage another entity or company (sub-processor) to assist in data processing activities. For example, a cloud hosting service (processor) might use a third-party data backup service (sub-processor).
Essential components of DPAs
The following section will outline the specific components that a GDPR- and FADP-compliant DPA needs to include.
Binding the processor to details
One of the fundamental aspects of a DPA is its role to bind the (sub-)processor to specific conditions regarding data processing. In this sense, both the GDPR and the FADP define a core set of mandatory elements that need to be included in an arrangement between the controller and the processor.
Starting with the GDPR, you need to include the following topics in your DPA:
- The subject matter and duration of the processing, the nature and purpose of the processing;
- The types of personal data involved, and the categories of data subjects affected;
- The rights and obligations of the controller. The processor shall only process personal data on documented instructions from the controller. People authorised to process the personal data are under a duty of confidentiality;
- The technical and organisational measures adopted to ensure the security and integrity of the personal data;
- The fact that the processor shall not engage another (sub-)processor without the prior specific or general written authorisation of the controller;
- The processor shall assist the controller in responding to requests for exercising data subjects’ rights, as well as to ensure the security of the personal data and the notification requirements for data breaches;
- That, at the choice of the controller, the processor shall delete or return all the personal data at the end of the services related to the processing;
- The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations derived from data protection law, as well as allow audits from the controller.
These elements serve as cornerstones in establishing transparency and accountability between the data controller and (sub-)processor. It sets clear expectations and limits on how personal data should be handled, ensuring that it is only used for its intended purpose and within defined parameters.
It is also important to bear in mind that under the FADP, it is not mandatory to have a formal DPA, unlike the GDPR. That being the case, controllers and processors have more freedom in determining the content of the clauses that will regulate their data processing activities. The FADP demands, however, that at a minimum, the parties involved determine:
- The personal data that is to be processed;
- Notification procedures (especially in regard to data breaches);
- Sub-processing-related clauses; and
- Technical and organisational measures adopted to ensure the security of personal data.
Besides this necessary content, we want to highlight the following important parts of a DPA as they are usually highly discussed between controllers and processors.
Contact with data subjects and supervisory authorities
DPAs should outline the handling of data subjects’ requests, as well as the cooperation with supervisory authorities in the event of data breaches or investigations.
Usually, only the controller is bound to respond to data subjects and supervisory authorities. That being the case, the DPA shall clearly define that the processor shall not provide a direct response to either, while also informing the controller if it is notified, within a determined deadline (good practice here is 24 to 48 hours). Lastly, the DPA shall also enshrine that the processor shall cooperate with the controller in order to fulfill its obligations towards data subjects and the authorities, in case of data breaches.
In practice, this means that the DPA should specify the contact points and timeframes for responding to data subject requests, as well as the reporting mechanisms and timelines for notifying authorities of data breaches.
Ensuring equivalent protection in sub-processor relationships
Sub-processing relationships can introduce additional complexities and risks, making it essential to establish a clear framework. Without these added safeguards, personal data may be at risk of inadequate protection when passed to sub-processors.
In that sense, these are the main points to take into consideration:
- A processor shall only engage a sub-processor with written authorisation from the controller. This can be done on a case-by-case basis or through a previous general authorisation in the DPA. If a general authorisation is adopted, the processor shall nonetheless inform the controller should it intend to change any of its sub-processors, thus giving the controller the opportunity to object to such changes;
- When engaging a sub-processor, the same data protection obligations as set out in the DPA with the controller, as well as the applicable data protection laws, shall be imposed on the sub-processor.
It is also important to bear in mind that in sub-processing scenarios, the processor remains fully liable to the controller for the sub-processor’s failure to comply with its obligations.
This way, data protection laws guarantee that data remains consistently safeguarded throughout the entire processing chain. It prevents any weakening of data protection standards when involving additional parties in the data processing workflow.
Third country transfers
In the realm of international personal data transfers, it’s imperative for companies to understand that personal data can only be transferred to third countries (countries outside the EU/EEA or Switzerland respectively) under specific circumstances outlined in both the GDPR and the FADP.
Thus, when considering a service provider located in a third country the first step is to conclude if a so-called adequacy decision exists. This decision means that the data protection standards in the receiving country are deemed equivalent to those within the EU or Switzerland, ensuring an adequate level of protection and a free flow of data. Most prominently, some of these countries are for example the USA (at the moment, from an EU/GDPR perspective only), Canada (only in relation to the private sector), Israel, and the United Kingdom.
However, in cases where no such adequacy decision exists, companies need to adopt standard contractual clauses as an annex to the DPA. These contractual clauses, provided namely by the EU Commission and accepted by the Swiss authorities, serve as safeguards to guarantee that the data being transferred receives a level of protection equivalent to that within the EU and Switzerland. It is also important to bind processors to include these in their DPAs with their sub-processors in order to ensure adequate protection throughout the processing chain.
In conclusion, using and understanding DPAs in the correct way is a key step to data protection compliance when working with external service providers. By understanding these fundamental elements of DPAs, businesses can establish a robust framework for secure data sharing:
- DPAs should be adopted whenever a company engages another company for data processing purposes on its behalf;
- In a DPA, binding the processor to specific conditions is fundamental. This includes outlining the subject matter, duration, types of personal data, and security measures for processing;
- DPAs should also regulate the contact with data subjects and regulatory authorities as well as shared responsibilities;
- Sub-processing relationships introduce additional complexities and risks. Check that the same data protection obligations are imposed on sub-processors as on processors;
- Third-country transfers necessitate a careful approach. Personal data can only be transferred to third countries outside the EU/EEA under specific terms outlined in the GDPR and FADP.
In the second blog post of this series, we will delve deeper into specific additional clauses that can be included in DPAs that are particularly important for tech companies, such as data ownership, audit rights, and liability regimes.
Please don’t hesitate to book a free call with our experts to learn more about our data protection services!