A GDPR data processing agreement (DPA) is a legal contract that a company must sign when engaging with a third-party data processor. The contract ensures that the data processor will handle data in line with GDPR guidelines.
Data is one of the most valuable assets a company can possess. To prevent a potential data breach or abuse, all businesses that handle personal data must have a DPA.
A DPA is valid both as a written agreement and in electronic form. Its primary purpose is to determine how the data processor will handle the data provided by the company. It includes details on the duration of the processing activities, the scope of the data, its purpose, and any other entities that will have access to it.
In Europe, it is a legal requirement to have a DPA in place. In other countries, it is not a legal requirement. Still, it is strongly recommended that all parties fully understand their responsibilities concerning collecting, using, and protecting personal data, and the repercussions if ever an incident involving personal data was to occur.
Quick note: If you are based in California, you may want to update any existing DPA agreements. A new privacy law called the CPRA will become effective on January 1, 2023 concerning data collected during 2022. The new regulation closes loopholes in the existing California Civil Privacy Act.
Why do you need a DPA?
A DPA ensures that the appropriate security measures are in place and that data processing activities are GDPR compliant.
Suppose a company wants to outsource customer data processing activities to a third-party company, such as a cloud service. In that case, they must first sign a DPA. The DPA document ensures that the third party will guarantee information security when processing the personal data, prevent any security incidents and comply with all the applicable data protection laws.
Virtually every business relies on third parties to process personal data. Some use website analytics software, while others store their data with a cloud storage provider. Whichever way a business decides to perform its personal data processing, it must have a data processing agreement in place with each of these services to achieve GDPR compliance.
Every time you want to transfer a specific data set to a third-party entity to be processed, you need to draft and sign a DPA with the third party. This agreement protects you in case of a data security breach.
Who signs a DPA?
The company (data controller), the data processor, and any subprocessors must sign the DPA.
What happens if you don’t sign a DPA?
If you haven’t signed an agreement with your data processor, and they mishandle the data, you may be liable for the data breach since you failed to take adequate measures to ensure data protection.
Besides financial consequences, your company will suffer reputation damage and you could lose the trust of your customers who may refrain from sharing their personal information with you in the future.
What are some DPA frequently asked questions?
What is a data controller?
A data controller is a person or company that owns the data. Data controllers are also called data exporters. They hire a third-party data processor and give them access to the data.
As the name suggests, the data controller controls and determines the data’s purpose. It also decides how the data processor will process the data subject information, which can vary depending on the obligations and rights of the controller, the type of personal data, and categories of data subjects.
What is a data processor?
The data processor is a third-party service provider who processes the data for the controller. In some cases, independent contractors can be considered to be a processor.
The data processor must handle the data per the contract’s terms set by the data controller. At the end of the contract, the data processor must delete or return the processed data.
What is GDPR?
GDPR stands for General Data Protection Regulation which is a data privacy law enacted by the European Union in 2018. It is the strictest privacy and security law in the world and imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.
The new regulation affected many businesses worldwide that had access to the personal data of their clients. Since then, companies must do an in-depth review of business processes and documentation to ensure their policies and procedures comply with the new guidelines regarding confidential information of data subjects.
What is customer data processing?
To draft a DPA correctly, you need to know what data processing refers to. The term includes data collection, storing or recording, data organization, monetization, data use or deletion, and any other activity related to processing personal data. It’s critical to ensure that the data processor company does not breach the legal basis for processing this data, i.e., that they stick to the original purpose of the activity.
Is customer data deletion allowed?
Data deletion is a data processing activity that falls under the GDPR. Unlawful destruction of customer data may result in a fine.
What personal data falls under the DPA?
Any data that can serve you to identify the person whose data is processed is subject to the DPA. Even if you handle pseudonymous information about your customers, it falls under the DPA in case you can identify a natural person behind the pseudonym.
What happens if there’s a data security breach?
The data importer and the exporter must collaborate at all times to ensure maximum security for the data they’re responsible for. However, if there’s a breach, the data processor must inform the data controller of such an event and cannot withhold such information under any circumstances. If possible, they should assist the data controller in data protection impact assessment and cooperate with the authorities in case of an audit.
Even when there is no breach, a data protection officer is appointed to the data processor as the GDPR requires. By strictly following the controller’s instructions, the data processor can follow all procedures as planned.
Are there fines if you’re not compliant with the GDPR?
There are. Fines for non-compliance with the GDPR are extremely strict. They may cost businesses up to €20 million euros, or 4% of their global revenue.
In addition, if a business is found guilty of not following the GDPR, the data subjects’ rights entitle them to damage compensation.
Generate and collect signed DPAs with Deel
You can quickly generate DPAs for any contractor on the Deel platform. You'll be prompted to fill in details to tailor the contract. Deel will then securely collect the required signatures for safe recordkeeping.