Requirements for GDPR Data Processing Agreement

by Sarah Harvey / March 14th, 2019

The GDPR has quickly reshaped attitudes towards data privacy around the world and has given EU data subjects more autonomy over how their data is used than ever before. Personal data increasingly flows between organizations because most businesses partner outsource some aspect of their business functions, creating webs of responsibility and oversight.

However, with many ambiguous requirements for data controllers, processors, and sub-processors, entities might still have questions about certain requirements under the law, such as what must be included in a data processing agreement (DPA). These data processing agreements are critical to ensuring the privacy of data subjects’ personal data.

Let’s review what a DPA is, what needs to be included in a DPA, and examples of DPA clauses.

What is the Data Processing Agreement for GDPR?

Article 28(3) of GDPR requires that controllers, processors, and sub-processors must enter into written contracts, or data processing agreements, in order to share personal data. Data Processing Agreements (DPAs) establish roles and responsibilities for controllers, processors, and sub-processors, and create liability limitations.

Essentially, a DPA is a form of assurance that the processor or sub-processor performs their due diligence to ensure the privacy of personal data. For instance, if a controller and processor enter into a DPA and the processor experiences a breach, then the DPA would potentially limit the controller’s liability for breaches.

Data Processing Agreement Requirements

What needs to be included in a DPA? GDPR is very prescriptive when it comes to DPA requirements. Article 28(3) states that DPA’s must include specific details regarding the processing of personal data, including:

The subject matter of processing
The duration of the processing
The nature and purpose of the processing
The type of personal data involved
The categories of data subject
The controller’s obligations and rights

Additionally, DPAs must include specific requirements for processors:

The processor must only act on the controller’s documented instructions unless required by law.
The processor must ensure that people processing the data are subject to a duty of confidence. This can be accomplished through employee confidentiality agreements or acceptable use policies.
The processor must take appropriate measures to ensure the security of processing. This can be accomplished through third-party audit reports or information security questionnaires.
The processor must only engage with a sub-processor with the controller’s prior authorization and under a written contract.
The processor must take appropriate measures to help the controller respond to request from individuals to exercise their rights. This can be accomplished through features within software applications or through manual processes.
Taking into account the nature of processing and the information available, the processor must assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches, and data protection impact assessments. Contracts should specify the type of information and timeframes required for breach notification.
The processor must delete or return all personal data to the controller at the end of the contract, and the processor must also delete existing personal data unless the law requires its storage.
The processor must submit to audits and inspections. The processor must also give the controller whatever information it needs to ensure they are both meeting their Article 28 obligations. GDPR is unclear regarding the extent to which controllers can exercise their audit rights so your contract should be specific about the nature of audit rights (frequency, type of audit, cost).

Examples of GPDR Data Processing Agreement Clauses

Whether you’re a controller entering into a DPA with a processor, or you’re a processor engaging with a sub-processor, ensuring that the specific wording of your DPAs meets these requirements may seem challenging. Fortunately, the European Commission has published model clause examples for controllers, processors, and sub-processors to reference. While these clauses are designed for international data transfers, standard clause language that’s been approved by the EU is used, which allows organizations to have access to real contract language that adheres to the requirements of Article 28.

Additionally, as many data controllers work with more than one processor or sub-processor, creating a new DPA for each partnership is daunting. This is why many service providers, such as Amazon Web Services and SalesForce, have made their DPAs publicly available online for controllers to use.

While the GDPR enforcement deadline has now passed, it’s never too late to start your compliance efforts. Have questions about creating a DPA? Want to learn more about how KirkpatrickPrice can help you achieve your GDPR compliance objectives? Contact us today.