Processor agreements or Data Processing Agreements (DPAs) are mandatory when personal data is processed between two or more parties. Anyone who is somewhat aware of the GDPR legislation is aware of this. Nevertheless, we often get the question of how best to draw up a DPA. In this article you will get an answer to the top 5 frequently asked questions concerning DPAs and you will learn which steps to take in order to draw up a DPA at the same time.
Data Processing Agreements (DPA) are compulsory agreements, closed between two or more parties, when one party processes personal data (from third parties) for another party. This can be about data in CRM systems, analytical systems, Customer Data Platforms and so on.
A DPA tells you what is expected from both parties in terms of
In the following 5 steps, you will learn how to handle a DPA in the most efficient way.
The General Data Protection Regulation (AVG) or GDPR obliges all processors of personal data in Europe to conclude a DPA. When you think about with whom you should conclude an agreement, you will often think of simple parties, such as your social secretariat or your web hosting party. However, it is important not to lose sight of the less obvious parties. Think of the garbage disposal services, an IT consultant or one of your suppliers who might handle sensitive personal data for you. A handy way of getting a complete overview of all the parties involved is to take a look at the contracts within your organization. No idea how to start? This easy-to-use contract checklist provides a complete overview of contracts you might need for your research.
Your DPA should contain obvious information such as
Bear in mind that you also have to include more specific information such as the type of personal data, the data categories and of course the obligations and rights of the data controller. For a complete list of details you need to include in the DPA, speak to your company lawyer or Data Protection Officer (DPO).
Just as with Non-Disclosure Agreements (NDAs), there are three ways in which the agreement can be created with DPAs:
There is no legal limitation that stipulates that a DPA cannot be part of an ordinary contract between the processor and the responsible party. Given the complexity of DPAs, it is advisable to add a separate document or annex to the main contract. This way, you can easily find the Data Processing Agreement and do not have to go through the entire contract looking for a paragraph or page. Moreover, you do not have to negotiate a new DPA if the existing contract, in which the DPA was contained or an annex, is terminated.
DPAs should always be within reach of the right people, even if they are included in the general terms and conditions or as part of a larger agreement. On top of that, it is important that you are always aware of the duration of the agreement. A system such as Excel or a document management system does not offer the best support here. Especially if you have more than 100 contracts or work with different departments. A contract management system can then offer broad support by
This not only saves you and your colleagues time, but also avoids unpleasant surprises in case of problems with personal data or data leaks.
To avoid having to do the same work all over again from scratch for your next agreement, we recommend involving the Data Protection Officer (DPO) when new contracts are signed or when working with new parties. This way, he or she is informed from the start and the DPO can add adjustments where needed. Another possibility is to perform a final check before signing.
Want to know more about DPAs and how to manage them efficiently?
Download the full guide here.