A Data Processing Agreement (DPA) confirms the terms on which one party (the ‘processor’) processes personal data provided or made available by another party (the ‘controller’).
Examples of data processing include arrangements where an organisation provides details of its employees and their remuneration packages to a payroll services provider, or provides lists of its clients’ and stakeholders’ email addresses to an email marketing platform, or uploads its business data to a hosted data storage provider.
As well as being the right thing to do commercially, controllers and processors are required by Art 28(3) of the GDPR (now incorporated into UK law, as amended) to enter into a contract which sets out:
- The subject-matter and duration of the processing
- The nature and purpose of the processing
- The type of personal data and categories of data subjects
- The obligations and rights of the controller
The contract must also stipulate the processor obligations listed in paragraphs (a) – (h) of Art 28(3):
- Only process personal data in accordance with the controller’s documented instructions.
- Ensure that individuals authorised to process personal data have committed themselves to confidentiality.
- Implement appropriate technical and organizational measures to ensure the information’s security.
- Assist the controller with its response to any request by a data subject.
- Co-operate with the controller in the event of a personal data breach.
- Co-operate with the controller if the controller carries out a data protection impact assessment.
- Delete or return the personal data at the end of the engagement.
- Not transfer personal data outside of the UK without the controller’s permission.
If a processor wants to engages its own processor (a ‘sub-processor’), the processor must obtain the controller’s specific or general prior authorisation. If the authorisation is general, then the processor must notify the controller of any additional or replacement sub-processor (Art 28(2)). The processor must also enter into a DPA with the sub-processor which imposes on the sub-processor the same data protection obligations as are set out in the DPA between the processor and the controller (Art 28(4)).