Data Processing Agreements - take away tips for data processors when reviewing.
Updated: Jan 21
What is a Data Processing Agreement (DPA)?
A DPA is a legally binding contract between a data controller and a data processor which sets out strict limits on what the processor can do with personal data. If you are a PR/marketing company you will be the data processor and the customer supplying marketing lists will be the data controller. This note only comments on data controller to data processor agreements and is pro data processor.
What UK law applies following the UK leaving the EU?
The General Data Protection Regulation (GDPR) has been retained in UK law following the departure of the UK and continues to be read alongside the Data Protection Act 2018. The Information Commissioner (‘ICO) remains the UK’s independent supervisory authority on data protection.
Under the legislation, while the data processor does have direct responsibility under the GDPR (and may be subject to fines or sanctions if it does not comply), the data controller principally remains responsible for the processing of the data in accordance with the GDPR.
What must a DPA contain to comply with the GDPR?
The GDPR prescribes certain conditions governing the processing of data by the data processor as follows:
a) The data controller is only permitted to use a data processor that provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of rights of the individuals whose data is being processed.
b) The data processor shall not engage another processor (subcontractor) without specific or general written authority from the data controller. In the case of general written authorisation, the data processor shall inform the data controller of any intended changes concerning the addition or replacement of the subcontractors, giving the data controller opportunity to object to such changes.
c) Where a data processor engages another processor (subcontractor) the same data protection obligations as set out in the contract must be imposed on the subcontractor by way of contract. If the subcontractor fails to fulfil its data protection obligations, the data processor will remain fully liable.
Under the GDPR, the data controller and data processor must enter into a written agreement setting out the nature and purpose of the processing, the type of personal data and the category of data subjects and the obligations and rights of the data controller. The DPA must stipulate that the data processor must:
(a) process the personal data only on documented instructions from the customer;
(b) ensure that persons authorised to process the personal data have committed themselves to confidentiality;
(c) take all measures required pursuant to art 32 of the GDPR (which requires them to implement appropriate technical and organisational security measures, along with more prescriptive security measures where appropriate);
(d) follow the conditions detailed above regarding subcontractors;
(e) take into account the nature of the processing, assists the data controller by appropriate technical and organisational measures, in so far as this is possible to respond to individuals exercising their rights as data subjects;
(f) assist the data controller in ensuring compliance with obligations pursuant to arts 32-36 of the GDPR (notifying a supervisory authority that a customer has suffered a personal data breach; communicating a personal data breach to an affected individual, carrying out an impact assessment; and where required under an impact assessment, engaging in prior consultation with a supervisory authority;
(g) at choice of the data controller delete or return all the personal data to the customer at the end of the services contract; and
(h) make available to the data controller all information necessary to demonstrate compliance with the obligations set out above and allows and contributes to audits including inspections, conducted by the data controller or another auditor mandated by the customer.
What issues may arise in a global DPA?
The list below is not to be considered exhaustive or legal advice and may or may not apply to your data processing agreement. It is a general guide to those areas which may raise liability issues in a global DPA. We strongly recommend that independent legal advice is obtained before entering into a DPA.
1. Jurisdiction of a DPA - the data processor may be obliged to process data 'in accordance with all data protection laws'. This is means that the data processor would need to comply with UK, EU and any other applicable law of any country. An English qualified lawyer will only be able to review a DPA and consider its interpretation insofar as it is subject to English law (the Data Protection Act 2018 and the GDPR) only. Given the potential extra territorial implications (as the DPA may be governed by multiple different jurisdictions) a local legal review should be sought in these jurisdictions.
2. Warranties and Indemnities contained in a DPA, can come in various forms. We only highlight two fairly standard ones here. A data processor may be required to give a warranty that its processing operations are 'suitable for purpose' and there is 'sufficient expertise to carry out the services in accordance with global data protection laws'. A warranty is a contractual assurance and if there was a beach of this warranty, then the data controller would be able to claim damages. A data processor should check its systems can comply before agreeing to this and take into account the point at 1. above regarding jurisdiction.
It is also common for a data controller to seek a general indemnity from a data processor to pay for claims against damages arising from the data processing including any data breach. To reduce this liability as far as possible, we suggest a data processor only agrees to pay out on those those acts 'within your reasonable control'. We would also suggest a liability cap on the amount is sensible, taking into account the data controller's potential losses and the extent of insurance cover. A further reduction in liability can also be obtained by excluding indirect or consequential losses or excluding certain economic heads of loss, such as loss of profits, or to loss of data or damage to goodwill.
3. Security of data - A DPA may state that the security of data must be to the 'data controller's specifications and is appropriate to the risks'. IT systems should be reviewed as any upgrade could incur significant expense.
4. Once the DPA is in operation, the data processor should regularly review the party’s roles, purpose of the sharing of data, what is going to happen to the data at each stage and the process to make sure that the information in the DPA remains accurate and up to date to demonstrate ongoing compliance with the GDPR.
We recommend you obtain legal advise before entering into a DPA. This note is for guidance only and does not constitute legal advice.
17 January 2021
MY BUSINESS COUNSEL