What is a data processing agreement?
A Data processing agreement (DPA) is an agreement between a data controller (ie the party that decided on the purposes for and means of processing personal data, like a company) and a data processor (ie the party that carries out the instructions of the data controller in its processing of personal data, like a third-party service provider). A DPA sets out how personal data (eg names, addresses and information about racial/ethnic origin) will be processed (eg obtaining or recording), including the scope and purpose of the processing. For more information, read Data protection.
A data processing agreement is used to supplement a Services agreement (often called a 'master services agreement'). While the master services agreement sets out the terms for the supply of services between the two businesses, the data processing agreement specifically deals with the processing of personal data by the parties.
Why is a DPA important?
Data protection laws, specifically the UK General Data Protection Regulations (GDPR) and Data Protection Act 2018 (DPA), require data controllers to take measures to ensure the protection of any personal data they process. If a data controller outsources data processing activities, they must be able to demonstrate that their data processors (and any sub-processors) provide sufficient guarantees to act in a GDPR-compliant manner and protect the personal data.
For example, a company has collected personal data from their customers and has decided to hire another company to further process and analyse their customer’s personal data. The first company would be the data controller while the second company would be the data processor. A DPA would be required to ensure that the personal data is protected and processed in accordance with the GDPR.
Do I need a DPA?
Having in place a DPA is a key component of GDPR compliance. A DPA sets out technical requirements for the controller and processor to follow when processing personal data. This includes specifying how data is stored, protected, processed, accessed, and used and defining what a processor can and cannot do with the personal data.
Whenever a data controller wishes to outsource data processing to a third party (eg a cloud provider), they need to enter into a DPA with the third party to ensure the safety of the personal data.
What does a DPA cover?
A DPA will generally cover the scope and purpose of data processing, what data will be processed, how the data will be protected, and the relationship between the data controller and the data processor. Under the GDPR, DPAs must include particular details, including information about:
the processing itself - including the types of personal data being processed, what activities are involved in data processing, how the personal data will be used, how long data will be processed for, how and where the data will be stored and the personnel responsible for ensuring GDPR compliance
the responsibilities of the data controller - the data controller needs to establish a lawful basis for processing personal data and must ensure that the rights of individuals are complied with. The data controller is also responsible for determining how the data processor is to process the data
the responsibilities of the data processor - under the GDPR, data processors have many responsibilities, including maintaining information security, cooperating with authorities (like the Information Commissioner's Office, also known as the ‘ICO’) in the event of an enquiry, reporting data breaches, detailed record-keeping and deletion or return of data at the end of the contract
any technical and organisational requirements - under the GDPR data controllers and processors need to consider how the state of the art technology, the costs of implementation, and variances in personal freedoms affect their ability to ensure ongoing data security. This includes considering and setting out how data will be encrypted, accessed, and tested and determining if both parties can ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services
Where the data processor intends to rely on sub-processors, the DPA should outline such sub-contratual relationships. The data processor generally needs written consent from the data controller to use sub-processors, which must ensure data protection and GDPR-compliance.
What is the relationship between standard contractual clauses and DPAs?
Transfers of personal data to recipients outside the UK (ie a 'third country') is prohibited under data protection laws unless certain safeguards are put in place. An example of such a safeguard is the standard contractual clauses (SCCs). The SCCs are model data protection clauses approved by the UK allowing international data transfers to take place. Where data is being transferred outside of the UK and the SCCs are relied on as a safeguard, the appropriate SCCs need to be incorporated into a DPA and complied with.
For more information, read Standard contractual clauses and International transfers of personal data.
If you have any questions or require assistance, Ask a lawyer.