How to handle Data Processing Agreements in 5 easy steps
Processor agreements or Data Processing Agreements (DPAs) are mandatory when personal data is processed between two or more parties. Anyone who is somewhat aware of the GDPR legislation is aware of this. Nevertheless, we often get the question of how best to draw up a DPA. In this article you will get an answer to the top 5 frequently asked questions concerning DPAs and you will learn which steps to take in order to draw up a DPA at the same time.
What is a Data Processing Agreement?
Data Processing Agreements (DPA) are compulsory agreements, closed between two or more parties, when one party processes personal data (from third parties) for another party. This can be about data in CRM systems, analytical systems, Customer Data Platforms and so on.
A DPA tells you what is expected from both parties in terms of
- data security,
- where the data is kept,
- audit possibilities, and
- who is responsible if there is a problem such as a data leak.
In the following 5 steps, you will learn how to handle a DPA in the most efficient way.
STEP 1: With which parties do you need a DPA?
The General Data Protection Regulation (AVG) or GDPR obliges all processors of personal data in Europe to conclude a DPA. When you think about with whom you should conclude an agreement, you will often think of simple parties, such as your social secretariat or your web hosting party. However, it is important not to lose sight of the less obvious parties. Think of the garbage disposal services, an IT consultant or one of your suppliers who might handle sensitive personal data for you. A handy way of getting a complete overview of all the parties involved is to take a look at the contracts within your organization. No idea how to start? This easy-to-use contract checklist provides a complete overview of contracts you might need for your research.
STEP 2: What should a DPA contain?
Your DPA should contain obvious information such as
- the subject of the agreement and data processing,
- the duration of the data processing,
- the nature and the purpose of the processing.
Bear in mind that you also have to include more specific information such as the type of personal data, the data categories and of course the obligations and rights of the data controller. For a complete list of details you need to include in the DPA, speak to your company lawyer or Data Protection Officer (DPO).
STEP 3: Do you draw up the DPA separately or as part of the main agreement?
Just as with Non-Disclosure Agreements (NDAs), there are three ways in which the agreement can be created with DPAs:
- The DPA agreements are incorporated into the general terms and conditions of your own organization or those of the other party. Examples are Amazon, Google, Office 365, etc.
- The DPA is a separate agreement and is therefore not linked to another, existing agreement.
- The DPA is an addendum to an existing contract and is therefore linked to it.
There is no legal limitation that stipulates that a DPA cannot be part of an ordinary contract between the processor and the responsible party. Given the complexity of DPAs, it is advisable to add a separate document or annex to the main contract. This way, you can easily find the Data Processing Agreement and do not have to go through the entire contract looking for a paragraph or page. Moreover, you do not have to negotiate a new DPA if the existing contract, in which the DPA was contained or an annex, is terminated.
STEP 4: How do you follow up on the DPA?
DPAs should always be within reach of the right people, even if they are included in the general terms and conditions or as part of a larger agreement. On top of that, it is important that you are always aware of the duration of the agreement. A system such as Excel or a document management system does not offer the best support here. Especially if you have more than 100 contracts or work with different departments. A contract management system can then offer broad support by
- assigning the right reading or access rights to the right people,
- indicating from whom you expect a DPA and do not yet have one,
- retrieving all desired contracts or clauses in just a few clicks.
This not only saves you and your colleagues time, but also avoids unpleasant surprises in case of problems with personal data or data leaks.
STEP 5: How to avoid duplication of work in the future?
To avoid having to do the same work all over again from scratch for your next agreement, we recommend involving the Data Protection Officer (DPO) when new contracts are signed or when working with new parties. This way, he or she is informed from the start and the DPO can add adjustments where needed. Another possibility is to perform a final check before signing.
Want to know more about DPAs and how to manage them efficiently?
Download the full guide here.