Reading time: 1,5 minutes.
Data processing agreement (DPA) introduction
Data controllers have to make sure that the processor is transparent with them. If they don’t, they can’t be sure they are GDPR compliant. Data processors, in turn, must make sure that data controllers can allow them to process data. The parties have a shared responsibility for the data, which means that the DPA is very important. The DPA should contain rules regarding how the processor should act when processing personal data.
Data controllers should make sure that personal data is processed and collected legally.
Contents of the DPA
The data processing agreement should incorporate a large number of provisions. Below are some of the key provisions that a DPA should contain:
- provisions stating that the processor may only process personal data when it is necessary;
- guarantees that the instructions from the controller are correct and lawful;
- provisions regarding how the processor may process data,
- audit rights for the controller and the processor;
- how to handle a personal data breach;
- both parties’ duties in relation to the supervisory authority;
- potential compensation for breach of contract.
There is more to consider when drafting your DPAs. The information presented above is a list of the minimum requirements. Another thing that affects the DPA is the relationship between the parties. The sensitivity of personal data being processed is another factor.
Looking for a practical guide to the DPO role?
The book Data Protection Officer provides a practical guide to the DPO role, encompassing the key activities you’ll need to manage to succeed in the role. Coverage includes data protection fundamentals and processes, understanding risk and relevant standards, frameworks and tools, with DPO tips also embedded throughout the book and case studies included to support practice-based learning.
Available as an e-book and paperback. Get a preview or free sample: Data Protection Officer (BCS Guides to It Roles)
Before drafting the DPA, we recommend that you consider what data is to going to be shared with the processor. You should also consider how the processor may use the personal data. We further recommend that you consult legal professionals to review your DPAs.