What is a Data Processing Agreement and when do I need one?
Data Processing Agreements (DPAs) are required under the GDPR when data is transferred between a data controller and data processor. In this article, we set out an overview of the requirements and real-life case studies.
At Gerrish Legal, we want to remove the stress associated with DPAs for freelancers and small businesses, by breaking down any legal jargon. In collaboration with City Law School, here are some practical tips on why, when, and how to employ DPAs.
Is a Data Processing Agreement required and if so, when?
Article 28(3) of the GDPR states that:
Processing by a processor shall be governed by a contract … that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
So, what is a controller and what is a processor for GDPR purposes?
Article 4(7) of the GDPR states that a “controller” is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Article 4(8) goes on to say that a “processor” is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
In other words, the controller is typically the business (which can be a company or freelancer) which owns and/or obtains and makes decisions about the personal data, and the processor is the party appointed by the controller to process it on its behalf, and subject to the controller’s instructions.
At some point, most businesses will have to share personal data with a third party, such as suppliers providing a variety of services (cloud infrastructure, SaaS, analytics, HR and payrolling services to name a few), and service providers may also receive personal data from their clients to process on their behalf. In this case, a DPA is required.
This will enable the controller to specify the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller, in compliance with the Article 28 requirements.
In such instances, it is essential for both controllers and processors of personal data to ensure that such data sharing activities are compliant with the GDPR and in particular the requirements of Article 28 – which set out the various security, technical and organisational measures which need to be in place when a controller shares data with a processor. Article 28(3) as referred to above requires specific elements to be included in the DPA to ensure compliance. These include:
Setting out details surrounding technical measures to ensure security and confidentiality of personal data
Rules around the appointment and use of other third party processors (sub-processors)
Rules surrounding transfer of personal data outside of the UK or European Union
Rules surrounding the confidentiality and obligations placed on staff processing data for the processor
Rules setting out how the processor can respond to any rights or requests raised by individuals regarding their personal data
Rules surrounding the process for handling any data breaches
The process for deletion and/or return of personal data to the controller at the end of the processing activities
The rights surrounding the ability to check the processor’s compliance with its obligations, such as the right to conduct audits
The liability of the parties, including any caps or insurance requirements.
When should a DPA be implemented?
Any organisation acting as a controller that shares personal data with a third party must have a DPA in place with all third parties acting as processors on their behalf, and the DPA should be concluded prior to any personal data processing taking place. Processing has a wide meaning under the GDPR, and this means sharing, transferring, uploading to any platforms or portals or sharing by email.
What are the risks of not implementing a DPA?
Real Life Case Studies -
The Societatea Energetică Electrica S.A case:
In 2022, The Romanian National Supervisory Authority completed an investigation of the operator Societatea Energetică Electrica S.A. in November 2022 and found a breach of Article 28 of the GDPR for the insufficient use of a DPA. The investigation was initiated following the transmission by the operator Societatea Energetica Electrica S.A. of a notification regarding the occurrence of a breach of the confidentiality of personal data, in relation to the provisions of the GDPR. The case resulted in a fine of EUR 5,000.
The Wens Experience SRL case:
After an investigation conducted regarding Wens Experience SRL a breach of Article 28 para. (2) of the GDPR was found. The company Wens Experience SRL, as a processor, was fined EUR 1,500 in 2022. The investigation was initiated following the transmission by the controller concerned of a notification of a personal data breach by its processor under the GDPR. The investigation found that the processor Wens Experience SRL recruited another processor to process data of the controller's employees without having received prior written, specific or general authorisation from the controller, in breach of Article 28(2) of the GDPR. (2) of the GDPR.
The Kolibri Image GbR case:
The Hamburg data protection authority fined a small mail order company, Kolibri Image, and asked it to pay an amount of 5000 Euros plus 250 Euros in fees due to the lack of a DPA.
The data protection authority stated that the obligation to conclude a DPA applies not only to the service provider (processor), but also to the client as the data controller.
From the above, we can see that a DPA therefore has 3 key benefits:
Enhances your cybersecurity awareness: No company wishes to tackle the risk of cybersecurity or data breach ignorance, the costs of data breaches or business downtime because of stolen or lost data. Implementing the GDPR into your organisation can help you establish a more security-conscious workflow.
Improves credibility, stability, and transparency: There are seven fundamental principles set out in Article 5 of the GDPR:
Lawfulness, fairness, and transparency
Purpose limitation
Data minimization
Accuracy
Storage limitation
Integrity and confidentiality
Accountability
Therefore, demonstrating that your business can comply with these principles while dealing with data protection related matters reflects that you are reputable and trustworthy. GDPR compliance is increasingly becoming a necessary benchmark for service providers.
Without a strong, verifiable commitment to privacy, businesses can find themselves vulnerable to brand damage.
Legal security and compliance: Whether you are a controller or processor, compliance with the GDPR and the Article 28 DPA requirement is a legal obligation when you fall into the controller-processor relationship – whether you are a multi-national company, a small business or a freelancer. Following the applicable rules can give you legal security and avoid the risk of non-compliance sanctions in the event of a data breach, regulatory investigation or complaint raised by an individual regarding the handling of their data.
What are the pitfalls of a poorly drafted DPA?
Of course, having no DPA in place is clearly problematic but if a DPA is vaguely drafted or if elements required by the GDPR are missing, then this may cause significant confusion and complications for both parties.
Indeed, if a DPA is poorly drafted, it may create more harm than good. For example, if a party is unsure about what their obligations are and on what they are authorized to do, it can lead to significant issues if this agreement lacks clear solutions and clauses, certainly in the event of a data breach of data subject request.
Next steps
Do not hesitate to contact us to discuss the drafting of your DPA and for any related GDPR or privacy advice.
Article in collaboration with City Law School, drafted by:
Sarah Hafez
Harley Wallis
Mujhda Abed
Lubna Ahmad
Abdulaziz Osama Basha
January 2023