Whether you are collecting and processing the personal information of EU users for your own needs or whether you are given access to such data through one of your customers in connection with services your provide to such customer, you may have been asked to review and sign “Data Processing Agreements” or “Data Processing Addenda”, a/k/a “DPAs”, to your commercial agreement with the customer.
But do you really know the purpose and meaning of such document? In this article we are lifting the veil on this practice of using DPAs.
DPAs are initially a creation of the GDPR. Under Article 28(3 of the GDPR, data controllers that share the personal information of EU residents with their processors, for instance a vendor or sub-contractor, in connection with a service they receive from such vendor or subcontractor, must enter into certain contractual terms with them regarding the processing of the data.
As such, the GDPR makes no mention at all of DPAs, but it does refer to the obligation for the data controller to enter into “data processing clauses” with each of their processors. In the US and internationally, these data processing clauses have taken the form of DPAs.
A DPA is a legally binding agreement between data controllers and data processors with respect to the processing of EU personal data by a processor.
Article 28(3) of the GDPR sets out 7 specific terms or clauses that must be included in a DPA:
– An obligation on the processor to process the data only on the documented instructions of the controller;
– An obligation of confidentiality on the processor and its personnel with respect to the data;
– An obligation for the processor to implement appropriate security measures around the data;
– Certain obligations in connection with a processor’s decision to retain sub-processors, including the obligation to flow down the DPA provisions in their own DPA with such sub-processors, and to obtain the express approval, if not give the data controller (your customer if you act as the processor or your approval if the DPA is with your vendors) the ability to object to the appointment of any sub-processor;
– An obligation to cooperate with the data controller in connection with responding to access and other rights EU users enjoy under the GDPR with respect to their personal data;
– The obligation, if the processor is based outside the EU, and in the US in particular, to document any additional internal controls and security safeguards the processor has implemented with respect to the data; and
– An obligation to cooperate with the controller in the conduct of audits at the processor or any of its sub-processors.
The controller does not have to define every single element of how the data is processed, and can rely on the processor’s obligation to ensure “appropriate guarantees” that processing will be done securely. But the processor is still responsible for determining some of the following elements:
– The IT systems or other methods used to collect personal data;
– How and where the data is stored;
– The security surrounding the personal data;
– How the personal data is transferred from one organization to another;
– How personal data about a specific individual can be retrieved;
– Methods for ensuring a retention schedule is adhered to; and
– How data is deleted or disposed of.
In addition, the following information needs to be expressly included in the DPA, if not an annex to the DPA:
– The subject matter and duration of the processing;
– The nature and purpose of the processing;
– The type of personal data and categories of data subject; and
– The names, location(s) and a name of a contact for privacy queries at each sub-processor, if any, retained by the processor.
Now, something most companies, particularly US-based companies that are unfamiliar with the technicalities of the GDPR, DPAs have to be governed by the law of a member state of the EU, they cannot be governed by US law.
This requirement has particular implications for US-based processors in particular:
1. They need to be familiar with EU laws and the interpretation in particular that the privacy regulator of the applicable EU member state makes of the obligations of the GDPR on processors. Remember, in more than 50 areas of the GDPR, the so-called “national derogations”, the GDPR empowers EU member states to adopt local requirements above and beyond the GDPR requirements. For more on that please see our article on the EU “national derogations”;
2. Under the GDPR accountability principle, they need to be able to document their compliance not only with the DPA, but with the GDPR and any applicable “national derogations” (based on the law of the country(ies) in the EU where the EU users are located and their personal data collected. Remember, the GDPR applies directly to both controllers and processors.
Most importantly, violations of the GDPR can give rise to fines in the amount of the greater of €20 million or 4% of a controller and/or processor’s global annual revenue.
Last but not least, US privacy laws adopted in the wake of the entry into force of the EU GDPR also more and more require that data controllers enter into agreements with their processors to cover the processors’ obligations with respect to the processing of US PII under US laws as well. Therefore, tracking your and your processors’ compliance with EU GDPR-compliant DPAs can also help you document your compliance with US privacy laws.
At the Law Office of S. Grynwajc we are not only experts in the GDPR but also of EU national derogations. Our privacy lawyers are also dual US and EU qualified, and therefore best equipped to help you comply with the laws that apply not only to your obligations under DPAs, whether as a controller or a processor, but also under the GDPR and EU member state laws.
Consequently, should you need to better understand your obligations under GDPR, please reach out! We’d love to help.
More on this and the importance of hiring EU counsel to help you comply with EU law, including GDPR, in our article.