Today, it is almost impossible to run a company without having data processed by a third party given that a CRM system or payroll software is considered a data processor.
If a new software-as-a-service (SaaS) solution is bought or a sub-processor hired, who will act on instructions and whose focus is to do with processing data, this requires a data processing agreement (DPA). Failure to determine the required DPA can result in the Supervisory Authority, the ICO in the UK, imposing a fine.
The crucial element is the professionalism and completeness of the DPA for companies who act as data processors. You have to demonstrate you have a watertight agreement and that you have appropriate technical and organisational measures (TOM) in place before a client can enter into a contract with you in good conscience.
What you need to know, in a nutshell:
- Data processing takes place when data is processed by a contractor who has been instructed by the data controller.
- Examples of data processing are service providers such as payroll offices and document shredders as well as outsourcing solutions such as SaaS and hosting providers.
- A data processing agreement must be documented according to Art. 28 (3) GDPR when a data processing relationship exists.
- Among other points, the data processing agreement defines the subject matter, type, and purpose of the data processing as well as rights and obligations of both the controller and contractor.
- The GDPR stipulates an obligation for the data controller to carefully select a data processor.
- When data is transferred to third countries during data processing, it is imperative that the legal basis for such a transfer be examined.
- The Data Protection Officer provides support both in the preparation and the review of data processing agreements.
In this article:
- What is data processing and when do I need a data processing agreement?
- What are typical examples of data processing in companies?
- How do I distinguish between data processing and having a joint controller agreement?
- How do I apply due diligence when selecting a data processor?
- What exactly is a data processing agreement and in which legal basis is it mentioned?
- When is there no need for a data processing agreement?
- What details does a data processing agreement need to contain and where can I find a template?
- Which role does data transfer to third countries play in data processing?
- DPA Checks in 3 steps
- Bonus tip for SaaS providers: How to use a data processing agreement to your competitive advantage
What is data processing and when do I need a data processing agreement?
Whenever a service provider is instructed to process personal data on behalf of a data controller, this is considered data processing and a data processing agreement has to be documented. Controllers must be aware that they remain legally responsible for the personal data and the handling of these data records. They must select processors with due diligence and regularly monitor their work.
What are typical examples of Data Processing in companies?
Instructing third parties to process data may still sound somewhat abstract. However, you have probably already come into contact with data processing many times. Typical examples relevant to most companies include:
- Software-as-a-service solutions such as newsletter or accounting tools
- Operators of input masks (forms) that can be integrated on your website (e.g. Unbounce or Mailchimp)
- Cloud-based CRM tools
- External call centres or customer service centres
- Processing advertising addresses in a lettershop
- External payroll
- External maintenance of servers and computers
- File and data media destruction by external service providers
- Hosting services
- Agencies dealing in marketing, sales, or consulting, if they have access to employees’, customers’, users’ or other company contacts’ personal data
- Security services that collect visitor and delivery data at the gate
How do I distinguish between data processing and having a joint controller agreement?
Sometimes, it is not easy to determine whether the data processing takes place solely in line with instructions given by the data controller. If it does not and the data processor uses the data for their own purposes, it is likely they are a joint controller. Let us have a look at a few typical distinguishing elements that point to data processing:
The Data Controller determines…
- what data is collected,
- how long it is processed for,
- when it is deleted,
- the purpose of the data collection,
- and whether data may be deleted.
It is the controller’s responsibility to ensure processing of data meets legal requirements. They are required to select the data processor with due diligence and monitor activities related to the contract.
How do I apply due diligence when selecting a data processor?
Choosing a trustworthy data processor is important to help avoid fines. This is because, in the event of damage, the rule is that both the controller and processor could be jointly liable, although exemptions are possible where a party is not at fault.
In line with the GDPR (recital 81), when selecting a data processor, companies should ensure that they choose such contractual partners
‘[…] particularly in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing’.
You may find the following questions helpful when evaluating a data processor:
- How trustworthy is the provider? For example, have they been repeatedly criticised for data breaches?
- Where are they based?
- Is data transferred to third countries like the USA and, if so, which guarantees of protection do they offer?
- Which servers is data processed on?
- Which sub-processors are used?
- How professional and complete is the DPA? (more on that later)
By the way: we have taken a look at providers of video conferencing solutions and messenger services for you and evaluated them in terms of their data protection.
What exactly is a data processing agreement and in which legal basis is it mentioned?
In line with the basic principle set out in data protection law of prohibition with the option of giving permission, processing of personal data, including transfer to third parties, requires a legal basis that can, for example, consist of a legal norm or the legally compliant consent of the Data Subject.
The existence of such a legal basis would be required if the providers of the types of services mentioned above were classified as third parties within the meaning of the GDPR. This, however, is not actually the case due to the privileging of data processing as set out in the GDPR. As a general rule, the transfer of personal data to the data processor does not require any further legal basis than the one on whose basis the processing takes place with the data controller. Those affected do have to be made aware that data processors are being used, though.
Nevertheless, pursuant to Art. 28 (3) GDPR, it is necessary that the processing be carried out on the basis of a contract (or other legal instrument under EU law) between the data controller and the data processor — the DPA.
The specific requirements that a DPA must meet are set out in Art. 28 GDPR. The purpose is to ensure that data processing complies with the requirements of the GDPR even when a data processor is used.
The DPA must be documented in writing. An electronic format is permitted. The data processor is also required to take technical and organisational measures to guarantee the security of the data processing.
When is there no need for a data processing agreement?
A DPA is needed for a controller to processor relationship. It’s worth noting, there are other service providers that are bound by instructions outside of GDPR, e.g. other regulations. These service providers tend to be data controllers in their own right and include:
- Legal services
- Financial services
- Debt collection agencies
- Tax authorities
They are responsible for providing their own services and are not bound by instructions, which is why no DPA is required in these cases.
What details does a data processing agreement need to contain and where can I find a template?
The DPA must set out the main components of the processing responsibilities. These include, among other points, the subject matter, type, and purpose of the data processing as well as rights and obligations of both the client and contractor. The controller is responsible for fulfilling the obligations arising from the GDPR (the rights of data subjects, notification of data breaches, etc.) but the data processor is required to provide support in this regard.
Along with other providers on the web, is the UK ICO provides a controller to processor contract available for download here.
Which role does data transfer to third countries play in data processing?
Many data processors cannot prevent a transfer of personal data to third countries since servers are typically located in other countries belonging to the EU, companies based outside the EU, or subcontractors are hired.
It is important to verify whether and on what basis a data transfer is permissible. The transfer of data to third countries is always permissible if the Commission has deemed the level of data protection to be adequate.
Should this not be the case, the transfer of data to a third country must be otherwise justified, e.g. through:
- Corporate Binding Rules or
- Standard Contractual Clauses (SCC)
Precautions (that may vary in strictness) have to be taken depending on the sensitivity of the data.
DPA Checks in 3 steps
The best way to protect personal data and your company is to ensure your DPAs are watertight. After all, as the data controller, you are accountable for safeguarding all personal data in your possession. It needs to be well protected, even in the hands of a third party.
Step 1: Guarantees for data security and GDPR compliance
By providing adequate guarantees, your contractor shows that their company takes data protection seriously and has taken measures to ensure it. Adequate guarantees include the appropriate technical and organisational measures (TOM) and independent certifications or attestations.
Technical and organisational measures
Experience shows that a surprising number of data processors trip over this obvious hurdle and fail to attach their TOM to a DPA. Instead, you often read sentences like: ‘We guarantee data protection through our technical and organisational measures.’
Many companies adopt web templates, making no effort to adapt the general wording to their case. But the TOM for a data centre should look different than those for a payroll office. It is not enough to print a template DPA and file it.
When setting up TOM, data processors often forget the basics. Indeed every company has a firewall and a lockable office, one might assume. But if your contractor’s TOM doesn’t mention of these, it’s better to make sure.
Approved certification mechanisms
According to Art. 42 GDPR, approved certification mechanisms can also be used to demonstrate that appropriate information security safeguards have been put in place. Such mechanisms can include:
- Independent reports from a data protection officer
- External audits (e.g. ISO 27001 and SOC 2)
Including certification mechanisms like these is voluntary. Many DPA templates make it easy to add them by simply ticking a box.
Step 2: Subcontractors of the processor
It is crucial that your processor – the principal contractor – informs their subcontractors of your DPA regulations, as the latter are directly involved in the provision of the main service.
Be sure to check whether the agreement includes guarantees for this critical step. It is also advisable to determine whether any subcontractors are located in third countries. If so, what additional controls have been put in place to safeguard against the regulatory ramifications?
Step 3: Standard contractual clauses and additional safeguards
Often, processors cannot prevent personal data from being transferred to third countries. The reason can be because the servers are located in other EU countries, the company has a registered office outside the EU or subcontractors are used.
When unavoidable, a processor needs to review whether and on what basis such a transfer is permissible. The transfer of data to third countries is always permissible if the Commission has established the adequacy of the level of data protection there.
If that’s not the case, the transfer of data to a third country must rest on another justification, e.g.:
- Binding corporate rules
- Standard contractual clauses (SCCs)
Depending on the sensitivity of the data in question, correspondingly strict precautions must be taken. However, SCCs must be supplemented by additional safeguards. Not only that, but the safeguards must also be on record in the DPA – another step that is frequently forgotten in the hustle and bustle of day-to-day business.
Bonus tip for SaaS providers: How to use a data processing agreement to your competitive advantage
As a SaaS provider, you have most likely created a DPA already. How well is it received by your clients’ Data Protection Officers? Do they typically get back to you with questions or difficulties? That could be because your DPA does not cover all the necessary requirements. You will need to ensure that it covers all the points set out in Art. 28 of the GDPR.
Our experience has shown that many SaaS providers can improve in the following three areas:
- By having a really well-defined service description that shows exactly which service they provide as a data processor,
- by explaining data categories not just superficially, but in detail,
- and by providing a list of your sub-processors and evidence that suitable technical and organisational measures have been put in place.
As part of any selection process, you have to thoroughly vet any sub-processor, so you don’t create any additional security gaps for yourself by using a third-party provider.
While a seamless data processing agreement may not be something that excites customers, it does support a smooth sales process. You may lose valuable time if information relating to Art. 28 of the GDPR is missing. Companies that can provide their customers with a comprehensive data processing agreement that includes proof that they have ensured their subcontractors demonstrate thoroughness and conscientiousness which, in turn, creates trust.
No business without data processors. But any processor that processes personal data as a third party can pose a risk — in terms of data mishaps, data protection breaches, or failure to comply with obligations imposed on them. For that reason, every data processor needs to be well chosen — and the DPA is an excellent indicator of their quality standards , professionalism and reliability.
As a data processor, companies show that they are serious about data protection through documents like the technical and organisational measures and the DPA.
Your data protection officer can support you in creating a DPA and in checking your contractors’ DPAs.
To find out more, get in touch with one of our GDPR experts today.