A Data Processing Agreement (DPA) is often used by UK businesses alongside a master service agreement or other similar agreements. DPAs are required when the contracted services provided involve the supplier processing personal data on behalf of the customer. This is to ensure that both parties comply with their obligations under UK GDPR and the Data Processing Act.
In this guide we look at the common clauses a DPA is likely to contain and whether you should accept a DPA provided by a supplier. For assistance drafting, reviewing and negotiating a DPA and what to look out for when contracting with third-party service providers, speak to our knowledgeable team of data protection lawyers.
What is a Data Processing Agreement (DPA)?
A Data Processing Agreement (DPA) is a contract that is usually entered into between the Controller and the Processor.
Who is a Controller?
A Controller is a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Article 4(7) of the GDPR). Essentially Controllers make decisions about processing activities.
Who is a Processor?
A Processor is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller (Article 4(8) of the GDPR). Essentially Processors act on behalf of the Controller and under their instructions and authority.
When do you need a DPA?
In short, it’s whenever a Processor conducts any processing on your behalf. According to the Information Commissioners Office, contracts between controllers and processors ensure they both understand their obligations, responsibilities, and liabilities. Contracts also help them comply with the UK GDPR, and assist controllers in demonstrating to individuals and regulators, their compliance as required by the accountability principle.
If your organisation is subject to the General Data Protection Act (GDPR), then it’s pertinent to have in place a DPA with all your data processors. Article 28 of the GDPR sets out what should be included within the DPA (see below; “what are the common clauses?”).
Should a Processor use another company to assist in processing activities for the Controller client, it would need to ensure it has a DPA (DPA – Processor to Sub-Processor) in place with that Sub-Processor. The terms of that DPA should offer an equivalent level of protection for the personal data as does the initial DPA between the Controller client and the initial Processor. It’s the Processor’s responsibility that any other Sub-Processor(s) in the chain complies with the requirements of the GDPR and conform to the same level of protection as the initial Controller and Processor. A Processor may not instruct a Sub-Processor without the Controller client’s prior specific or general written authorisation.
The DPA would explain the responsibilities, liabilities, and obligations for all involved parties to the said agreement to act upon, to ensure processing tasks are carried out in accordance with the UK GDPR. DPA’s also assist in demonstrating compliance as per the accountability principle.
What are the Common Clauses?
Article 28(3) of the GDPR sets out the clauses required in a DPA: -
- The Processor only processes personal data on documented instructions from the Controller;
- The Processor must ensure persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- The Processor must implement technical and organisational measures to ensure a level of security appropriate to the risk, as per Article 32 of the GDPR;
- The Processor will not subcontract to another Processor unless instructed to do so in writing by the Controller. The same requirements should be set out in the Processor-to-Processor DPA as set out in the DPA between the Controller and the Processor;
- The Processor will assist the Controller by supporting their obligations under the GDPR, insofar as possible, concerning data subjects’ rights as per Chapter 3 of the GDPR;
- The Processor will assist the Controller in maintaining compliance with regard to Article 32 - security of processing and Article 36 - consulting with the data protection authority before undertaking high-risk processing;
- The Processor agrees to return or delete all personal data upon the termination of services; and
- The Processor must allow the Controller to conduct an audit and provide whatever information necessary to demonstrate compliance.
Furthermore, a DPA should stipulate:-
- subject-matter and duration of the processing;
- the nature and purpose of the processing;
- the type of personal data; and
- categories of data subjects.
The above are the minimum requirements essential in a DPA, but a DPA would not be complete without the relevant annexes, which would include the following:
- The Processors’ technical and organisational measures, that demonstrates its’ ability: to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; andfor regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
- List of Sub-Processors
- Any applicable standard contractual clauses that apply to cross border transfers, for example the EU Standard Contractual Clauses
Do you need a bespoke DPA, or can you rely on your third-party service provider’s DPA?
You should never blindly accept the Processor’s version of DPA, the same way a Processor would never accept the Controller’s version of DPA. Like any contract, the drafting party would always draft in a way that it’s pro-them. Whilst the above clauses must be contained in the DPA, it’s necessary to check the details of the clauses. For example, how would you know the technical measures that the Processor has put in place are appropriate to the personal data they are processing for you? It’s likely that you would want a cyber security professional to cast an eye over these. There may be other due diligence that you may wish to conduct, such as checking if any breaches have previously occurred, when and how, as well as any preventative measures put place, so this doesn’t happen again. If this is an area of concern, here we discuss in more detail what to do if your supplier has a data breach.
Whether you are the Controller needing a Processors’ DPA to be checked, or a Processor needing the Controllers version to be checked, our specialist data protection solicitors can assist in evaluating the actual risk against the nature and purpose of processing and provide specific advice in drafting of templates or checking DPA’s from the otherside to ensure they are satisfactory to the level of risk.