A data processing agreement (“DPA”) needs to be in place when a data controller engages a data processor. The DPA sets out the relationship between the two parties and the data being processed.
Reading time: 1,5 minutes.
Data processing agreement (DPA) introduction
Data controllers have to make sure that the processor is transparent with them. If they don’t, they can’t be sure they are GDPR compliant. Data processors, in turn, must make sure that data controllers can allow them to process data. The parties have a shared responsibility for the data, which means that the DPA is very important. The DPA should contain rules regarding how the processor should act when processing personal data.
Data controllers should make sure that personal data is processed and collected legally.
Contents of the DPA
The data processing agreement should incorporate a large number of provisions. Below are some of the key provisions that a DPA should contain:
- provisions stating that the processor may only process personal data when it is necessary;
- guarantees that the instructions from the controller are correct and lawful;
- provisions regarding how the processor may process data,
- audit rights for the controller and the processor;
- how to handle a personal data breach;
- both parties’ duties in relation to the supervisory authority;
- confidentiality;
- potential compensation for breach of contract.
There is more to consider when drafting your DPAs. The information presented above is a list of the minimum requirements. Another thing that affects the DPA is the relationship between the parties. The sensitivity of personal data being processed is another factor.
Schrems II – Expert Legal Advise
Act with confidence today. Our experts are here to help you manage the Schrems II requirements. Measured and practical solutions. Support through the entire process. Transfer impact assessment. Dealing with supervisory authority. Enforcement action. Defending legal claims. Track record with leading European startup, mid-size companies and listed global enterprises.
Get a quote today from the business law firm Sharp Cookie Advisors
Before drafting the DPA, we recommend that you consider what data is to going to be shared with the processor. You should also consider how the processor may use the personal data. We further recommend that you consult legal professionals to review your DPAs.