This article sets out the data processing agreement basics of responsibilities between two parties that share personal data as a by-product of their collaboration, e.g. purchaser-supplier relationship.
Reading time: 1,5 minutes.
Who is responsible and for what?
Data controllers are organisations that collect personal data and decide what happens with it. For this reason, they are also key to protecting personal data.
Data processors are organisations that process personal data as instructed by controllers, usually for specific purposes and services accessible to the controller.
Data controllers and processors have many of the same duties and principles to follow. What is new in the GDPR is that data processors now also have duties that are directly enforceable. Furthermore, GDPR compliance is now a shared obligation between controller and processor.
Need templates, second opinion or support for your DPAs?
Connect with leading experts with a multitude of templates. Reviewing a customer DPA – ask for a second opinion from our experts. Track record with leading European startup, mid-size companies and listed global enterprises.
Get a quote today from the business law firm Sharp Cookie Advisors
Many of the principles in the GDPR apply to both parties. Examples include principles for processing, “privacy by design” obligations, and provisions in data processing agreements.
Data processors must assist the controller in several ways. These include assisting with data subject requests and performing data protection impact assessments.
The relationship between controller and processor, and their shared obligations
The controller has a responsibility with regard to the processors it works with. Controllers need to make sure that processors can guarantee safe processing. In other words, processors need to be GDPR compliant. It’s up to the controller to make sure this is the case. Processors, for their part, cannot hire a sub-processor unless the controller gives their consent first.
A data processing agreement needs to be in place between the controller and the processor. This contract should include things such as the subject matter and the purpose of the processing. Processors can never process personal data on behalf of a controller without clear instructions.
The controller and processor are both obligated to keep a record of their processing activities. They must both co-operate with the supervisory authority when required to do so.
If you want to read more about what to include in a Data Processing Agreement, see this article.