Data processing agreement

Almost all companies process personal data in some way, it could be information about customers, users, or employees (processing means collecting, recording, storing, transmitting and more). If your company does process personal data you should get to know the duties that follow from the GDPR.

What is a data processing agreement?

As a company, a major part of GDPR compliance is to have signed data processing agreements (DPAs) with your vendors. A data processing agreement, or a so-called DPA, is a legal contract between a company and its vendors. It should always be used when your company is processing personal data and transferring it to vendors. The purpose of the DPA is to lay out the appropriate technical and organisational measures for the processor to follow when processing data.

When do I need a DPA?

Companies located inside the EU or companies that are processing data about EU citizens need to sign a GDPR data processing agreement any time they hire a third party to process that data. A data processing agreement defines clear roles and obligations for controllers and processors. It is a useful contract for any arrangement between two parties working with customer or user data.

Who is a data controller, data processor, and subprocessor?

The Data Controller is the person or legal entity that determines the purpose of the processing of personal data and how the data is processed.

The processor is the person or legal entity that processes data on behalf of the data controller. This could be a third-party service provider. The data processor is not allowed to do anything with the data other than what is explicitly stated by the data processing agreement. An example of a processor would be a software company delivering HR software to customers. If the customers of the HR company add personal data about their employees, the HR company would then be a data processor.

A subprocessor is a company that provides a service and who will have or potentially get access to the personal data of your customers' customers. It could be that the HR company from the example above uses AWS as a cloud hosting service, AWS would then be the subprocessor of the HR company.

What is personal information (non-sensitive and sensitive)?

Personal data is all information that can be used to identify a person.

Personal information includes all information that is not classified as special categories of information (sensitive personal information). This can be, for example, identification information such as name, address, age and education. This also applies to financial matters such as taxes and debts. Information in the form of photo, fingerprints, family relationships, housing, car, exam, job applications, CV, date and position of employment, work area and work telephone - are also personal information.

Sensitive personal data is explicitly mentioned in the GDPR Art. 9, and the possibility to process such data is narrower than in the case of ordinary personal data. Sensitive information is information about:

  • Race and ethnic origin
  • Political beliefs
  • Religious or philosophical beliefs
  • Trade union affiliation
  • Genetic data
  • Biometric data for unique identification
  • Health information
  • Sexual relationships or sexual orientation.

Only the information mentioned above is considered sensitive personal information. If personal data is anonymized so it is no longer possible to identify anyone from it, the data is no longer seen as personal data.

What does a DPA need to contain?

A DPA is often comprised of clauses that describe the application & terms, purpose of the processing of personal data, the proper technical & organizational measures that should be implemented by the processor when processing the data of the controller, the rights of the data subjects, the possibility to enlist subprocessors, the transfer of personal data, what happens in case of data breaches, the audit rights, the return & deletion of personal data, liability and jurisdiction.

If a proper DPA is set in place between you and your vendors and a vendor at a later stage mishandles your data, the DPA will ensure that you are compliant with the GDPR, as it was the vendor that was not following the rules and conditions stated by your signed DPA.

If you have not signed a DPA with your vendors, your company may become liable for a data breach since your company failed to implement the proper measures to ensure the protection of the data subject rights.

Other than financial consequences your company will suffer in this case of a breach, you risk losing the trust and good will of your customers.

Did you know we can keep your DPAs automated?

As a part of the Vendor Hub, you can have your attorney-level DPAs changed automatically when the law changes and when you and your vendors update your GDPR information. Try it now (add link to DPA page here).

How can you become a part of the Privacy Hub?

Ensure your GDPR compliance and experience the Privacy Hub by yourself. It is simple and easy. You can either find more information on our website or directly book a demo.

Learn more about Privacy Hub →