Before we get started, here are definitions of some keywords and phrases that appear throughout the article. It is helpful to understand them from the get-go.
|Data subject||The person whose data is processed. Most often, these are your customers.|
|Data controller||This is your company. This is the person that decides what data to process, how it will be processed, and why it is processed.|
|Data processor||A third party that processes personal data on behalf of a data controller. For example, when your HR department does a background check on a prospective employee, you may hire another company or service to do it for you. They would be a data processor – your company must have a data processing agreement.|
|Personal data||This is data that is held on a person which can lead to them being directly or indirectly identified. This includes data such as name, address, location, email, phone number, ethnicity, gender, biometric data, and web cookies.|
|Data processing||Processing is any action or operation performed on personal data – whether through automated means or not. For example, this would include collection, storage, alteration, consultation, organizing, or erasing it.|
|Third-party||Third-party refers to any person that is not a data subject, data controller, or data processor.|
What is a Data Processing Agreement?
The foundation of data processing is that it must be processed with the consent of the data subject or through some other legitimate and lawful means. Under the law, this is also a legal requirement – particularly the General Data Protection Regulation (GDPR), Recital 40. The data processing agreement was created to establish the foundation of data processing and to allow companies to process a data subject’s information lawfully through third-party processors. Therefore, the data processing agreement is used to cement the processing of personal data by third parties for your business. Under the GDPR, your business must have a separate data processing agreement with each data processor. These agreements must be in written form and agreed to by both parties.
Processing has a wider meaning within the GDPR, and it includes any possible action that can be taken with a data subject’s personal data. For example, collecting it, selling it, storing it, or destroying it.
Data processing agreements are legally binding contracts under the law and stated the rights and responsibilities of both parties to the contract concerning the use and processing of personal data.
Where your company requires a processor, you should ensure that they are GDPR compliant and should audit the processor. The data processing agreement should include all your rights and responsibilities.
When You Can Process Personal Data?
Normally, a person, business, or processor may not process personal data. To do this, you must be allowed to do this by fitting into one of the instances listed under Article 6 GDPR. These instances are as follows:
- The data subject gives you unambiguous consent to process their data.
- Data processing is mandatory for the performance of a contract to which the data subject is a party. Alternatively, processing can be done where it is necessary to take steps at the data subject’s request before entering into such a contract.
- Processing the data is necessary to comply with a legal obligation to which your company is subject.
- It is necessary to protect the vital interests (to save their life) of the data subject or another natural person.
- Processing is necessary to carry out a task of public interest or to carry out an official function that your company holds.
- It is necessary for the purposes of the legitimate interests pursued by the controller or a third party. However, such interests are overridden by the interests or fundamental freedoms of the data subject – particularly, where they are children.
Principles of Data Processing
While many countries have their own set of data processing principles, there are common principles shared between many nations.
The data controller (this is your company) has the responsibility to be accountable for the data that you/your processor processes. Therefore, this also means that your company must show that it is being GDPR compliant. You can do so through maintaining detailed documentation of all data that you collect and process – including its storage and purpose. Additionally, staff members should be trained on data protection and GDPR compliance – this will allow the company to designate more responsibility for data protection onto employees. Alternatively, the company can designate a Data Protection Officer, although this is not a necessity. Finally, and most importantly, you must have data processing agreements in place with all third parties who you contract to process data.
Data to be processed or data that is being processed should be kept up to date and accurate. Unnecessary data should be erased, and incorrect data must be corrected as soon as it is identified. Where a data subject makes you aware of any change to their data or makes you aware that data kept about them is incorrect, then your company has the duty to update such information that you hold on them to ensure the correctness of the data.
Fairness and Lawfulness
Primarily, data processing should be fair and lawful – this mostly requires that the data subject is fully aware of their data being processed (also for what purpose it is being processed) and that the data is processed with their consent. Additionally, data processing should be in line with any national and international laws or customs so as not to render the processing of data unfair. The GDPR specifically states that data processing is only lawful where it fits one of the instances listed under Article 6.
Consent has to be freely given, specific to that circumstance, and informed and unambiguous. Similarly, requests that your company sends to data subjects to obtain their consent must be written in clear and plain language. Such requests must also be separate and distinguishable from other matters. Where you obtain consent from a data subject, your company should keep documentary evidence of it. Where a data subject later wants to withdraw their consent, they are free to do so and you must stop processing their data immediately. Finally, children are unable to give consent by themselves – if they are below 13 years of age, they must have a parent or guardian’s permission to give consent.
When data is to be processed, the purpose of the processing must be communicated clearly to the data subject. As part of this, the data controller must ensure that the data is relevant to the purpose for which it is processed. Additionally, data processing should be limited so that it is only processed where necessary for the purpose of its collection. Time is also a key component of relevance as information can become less or more relevant over time. Therefore, your company must only keep and process the information for as long as it remains relevant to its purpose. TO ensure that data is only kept and processed for as long as necessary, the data controller should establish set time limits, after which data should be deleted, rectified, or archived. This time limit should be reviewed periodically so that it is updated to an adequate time period.
Data should be processed and stored with adequate security so that it is not misused or misprocessed. The security should be enough to preserve the data subject’s confidentiality and anonymity. Additionally, personal data deserved further protection so that it is kept safe from unauthorized access or use. Risks to data security arise from accidental or intentional unauthorized modification, erasure, or disclosure of data.
Before implementing data security features, your company should consider the current status of data security within your company and its processors. For example, a primary consideration should be the number of people that have access to the data – the people with access should be limited to only those who are necessary to the processing or storing of data. Additionally, the data should be stored in a safe location with both physical and digital security measures implemented.
This principle ties in with fairness as data processing might have to be transparent to be fair and lawful. Any data that is being processed or information concerning the processing of personal data should be accessible to the data subject or anyone they nominate to access such data. The information should be presented in a manner that is easy to understand – this means that the information is laid out clearly and written plainly. Particular information to be conveyed to the data subject includes, but is not limited to:
- Identity of the data controller
- Information contained on the data subject
- Information to be processed
- How the processing will take place
- The data subject’s ability to request information that is held on them
- The data subject’s ability to stop the processing
- Relevant rules, rights, and safeguards concerning the process of their data
What to Include in a Data Processing Agreement?
The GDPR, Article 28(3) details 8 things that must be included within a data processing agreement. Outside of the below requirements, the rest of the data processing agreement is free to be created as your company wishes.
- The processor must only process the data when they receive documented instructions from the controller.
- Persons who have authority to access the data must be committed to confidentiality or must be under statutory obligation to maintain confidentiality.
- Appropriate organizational and technical measures must be taken to protect the security of the data.
- According to sections 2 and 4 of Article 28, the data processing must not be subcontracted out to another processor without the explicit instruction of the data controller. Where it is subcontracted upon instruction, a data processing agreement must be signed by that data processor.
- The processor should help the data controller by taking appropriate technical and organizational measures for the fulfillment of the controller’s obligations under the GDPR.
- The processor must help the data controller maintain GDPR compliance with Article 32 (security in processing) and Article 36 (consulting the data protection authority before undertaking high-risk processing).
- The processor must delete or return all personal data where the agreement to process personal data is terminated.
- The processor must make available to the controller all information required to prove compliance with the GDPR. Additionally, the processor must allow the controller to conduct an audit on the processor.
Example Data Processing Agreements/Privacy Policies
Here, you will find links to the data processing agreements for both larger and smaller companies. Use this to find examples of the main clauses as well as to take consideration of any extra clauses that they have included, which could be applied to your business. While most of these are agreements between the company and its customers as opposed to with a processor, the clauses are similar to agreements made with processors – so it is a good source of inspiration.
|Company||Sector/Industry||Data Processing Agreement|
|Technology||Find it here.|
|Apple||Technology||Find it here.|
|Harmonize||Chat-based Human Resources Software||Find it here.|
|Hrvey||Human Resources||Find it here.|
|Penguin Random House||Book Publishing||Find it here.|
|Linklaters||Solicitors||Find it here.|
Every company has a slightly varied data processing agreement, however, they all stem from a similar template and substantially contain similar clauses. Below, you will find a sample template for a data protection agreement.
Data Protection Agreement Template
The following template has been provided by Proton Technologies as part of its reporting on the General Data Protection Regulation (GDPR). While the template is a good example to base your data protection agreement on, it will not cover everything that your company may wish to. So, you must take independent legal advice to ensure that the company covers all bases.
This Data Processing Agreement (“Agreement“) forms part of the Contract for
Services (“Principal Agreement“) between
(the “Company”) and
(the “Data Processor”)
(together as the “Parties”)
(A) The Company acts as a Data Controller.
(B) The Company wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.
(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework concerning data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons about the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
(D) The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
- Definitions and Interpretation
1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1.1.1 “Agreement” means this Data Processing Agreement and all Schedules;
1.1.2 “Company Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Company according to or in connection with the Principal Agreement;
1.1.3 “Contracted Processor” means a Subprocessor;
1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
1.1.5 “EEA” means the European Economic Area;
1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.1.7 “GDPR” means EU General Data Protection Regulation 2016/679;
1.1.8 “Data Transfer” means:
188.8.131.52 a transfer of Company Personal Data from the Company to a Contracted Processor; or
184.108.40.206 an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
1.1.9 “Services” means the __________________ services the Company provides.
1.1.10 “Subprocessor” means any person appointed by or on behalf of the Processor to process Personal Data on behalf of the Company in connection with the Agreement.
1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
- Processing of Company Personal Data
2.1 Processor shall:
2.1.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and
2.1.2 not Process Company Personal Data other than on the relevant Company’s documented instructions.
2.2 The Company instructs Processor to process Company Personal Data.
- Processor Personnel
Processor shall take reasonable steps to ensure the reliability of any employee, agent, or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2 In assessing the appropriate level of security, Processor shall take into account the risks presented by Processing, particularly from a Personal Data Breach.
5.1 Processor shall not appoint (or disclose any Company Personal Data to) any Subprocessor unless required or authorized by the Company.
- Data Subject Rights
6.1 Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Company obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
6.2 Processor shall:
6.2.1 promptly notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and
6.2.2 ensure that it does not respond to that request except on the documented instructions of Company or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Company of that legal requirement before the Contracted Processor responds to the request.
- Personal Data Breach
7.1 Processor shall notify Company without undue delay upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2 Processor shall co-operate with the Company and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
- Data Protection Impact Assessment and Prior Consultation Processor shall provide reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
- Deletion or return of Company Personal Data
9.1 Subject to this section 9 Processor shall promptly and in any event within
10 business days of the date of cessation of any Services involving the Processing of Company Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Company Personal Data.
- Audit rights
10.1 Subject to this section 10, Processor shall make available to the Company on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company in relation to the Processing of the Company Personal Data by the Contracted Processors.
10.2 Information and audit rights of the Company only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
- Data Transfer
11.1 The Processor may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the Company’s prior written consent. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU-approved standard contractual clauses for the transfer of personal data.
- General Terms
12.1 Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
(a) disclosure is required by law;
(b) the relevant information is already in the public domain.
12.2 Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post, or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.
- Governing Law and Jurisdiction
13.1 This Agreement is governed by the laws of _______________.
13.2 Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of _________________, subject to possible appeal to __________________________________.
IN WITNESS WHEREOF, this Agreement is entered into with effect from the date first set out below.
Date Signed: ___________________________
Date Signed ____________________________