What is a GDPR data processing agreement?
Virtually every business relies on third parties to process personal data. Whether it’s an email client, a cloud storage service, or website analytics software, you must have a data processing agreement with each of these services to achieve GDPR compliance.
The EU General Data Protection Regulation takes a more serious approach to contracts than previous EU data regulations did. If your organization is subject to the GDPR, you must have a written data processing agreement in place with all your data processors. Yes, a data processing agreement is more annoying paperwork. But it’s also one of the most basic steps of GDPR compliance and necessary to avoid GDPR fines.
This guide serves as an introduction to data processing agreements — what they are, why they’re important, who they’re for, and what they need to say. You can also follow the link to find a GDPR data processing agreement template that you can download, customize, and use for your company.
The term “processing” appears with obnoxious frequency in this article. In the GDPR definitions, processing essentially refers to anything you can possibly do with someone’s personal information: collecting it, storing it, monetizing it, destroying it, etc.
Data processing agreement basics
GDPR compliance requires data controllers to sign a data processing agreement with any parties that act as data processors on their behalf. If you need some definitions of these terms, you can find them in our “What is the GDPR” article, but typically a data processor is another company you use to help you store, analyze, or communicate personal information. For example, if you are a health insurance company and you share information about clients via encrypted email, then that encrypted email service is a data processor. Or if you use Matomo to analyze traffic on your website, Matomo would also be a data processor.
A data processing agreement is a legally binding contract that states the rights and obligations of each party concerning the protection of personal data (see “What is personal data?”). Article 28 of the GDPR covers data processing agreements under Section 3:
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
If you’re a business owner subject to the GDPR, it is in your interest to have a data processing agreement in place: first of all, it is required for GDPR compliance, but the DPA also gives you assurances that the data processor you’re using is qualified and capable. As stated in Recital 81:
When entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing.
Data processing agreement example
This website, as you may know, is operated by the encrypted email provider ProtonMail (and partly funded by the European Union’s Horizon 2020 program). As part of our GDPR compliance efforts, we made our own data processing agreement available to all our enterprise users to download, review, and sign.
Our DPA makes a number of guarantees to the companies that entrust us with personal data. For instance, the ProtonMail data processing agreement promises the use of technical security measures, such as encryption, as indicated in GDPR Article 32. It also offers reasonable assistance to controllers when conducting a data protection impact assessment.
What needs to be in a data processing agreement
GDPR Article 28, Section 3, explains in detail the eight topics that need to be covered in a DPA. In summary, here’s what you need to include:
- The processor agrees to process personal data only on written instructions of the controller.
- Everyone who comes into contact with the data is sworn to confidentiality.
- All appropriate technical and organizational measures are used to protect the security of the data.
- The processor will not subcontract to another processor unless instructed to do so in writing by the controller, in which case another DPA will need to be signed with the sub-processor (pursuant to Sections 2 and 4 of Article 28).
- The processor will help the controller uphold their obligations under the GDPR, particularly concerning data subjects’ rights.
- The processor will help the controller maintain GDPR compliance with regard to Article 32 (security of processing) and Article 36 (consulting with the data protection authority before undertaking high-risk processing).
- The processor agrees to delete all personal data upon the termination of services or return the data to the controller.
- The processor must allow the controller to conduct an audit and will provide whatever information necessary to prove compliance.
GDPR fines await those who don’t comply
Since the GDPR went into force, data protection authorities have demonstrated their willingness to issue penalties. And small- and medium-sized businesses were not overlooked. GDPR fines can range up to €20 million or 4% of the company’s global revenue.
However, there are two tiers of fines, depending on the severity and type of violation. GDPR fines issued for violations related to data processors typically fall under the first tier, which guidelines state can be as severe as €10 million or 2% of global revenue.
In any case, it’s much less painful to sign a data processing agreement and adhere to the terms than it is to pay a GDPR fine. We hope this guide will help. For more easy-to-digest help on GDPR compliance, check out our GDPR checklist.