So, why should you have a GDPR data processing agreement? Well, almost every business relies on third parties to process data. And if you don’t want to get any fines and you want to comply with the GDPR, you should sign a data processing agreement. When you’re done with this blog post, you’ll know what a data processing agreement is, who does what in an agreement and tips and tricks for how you can draft up your own agreement.
Here you can read about
- Common things that go wrong with data processing agreements
- Data processing checklist
- Data processing agreement templates
- What we’ve learned
The GDPR requires data processing agreements for compliance
The GDPR entails that a data controller (such as an organization or company) must sign a data processing agreement with any party that acts as a data processor on their behalf. We know what you’re thinking: “urgh more annoying paperwork.” But a data processing agreement is an important step in reaching GDPR compliance AND it helps you avoid GDPR fines. So, if you want to have a lawful basis for processing data, you need to have a data processing agreement with each of your data processors.
What is a data processing agreement?
We’ll tell you the short version, and the official European Union version.
The Short version
A data processing agreement is a contract between a data controller and a data processor that describes how and why data is processed.
The official version
A data processing agreement is a legally binding document signed between a data controller (such as an organization) and a data processor (such as a third-party service provider).
But what exactly does it do in layman’s terms?
-
It’s an agreement on how and what data is being processed and that all bodies who are processing personal data are in compliance with the GDPR
You’re probably thinking “Do I need to have a data processing agreement?” You probably do. If you exchange any form of personal data with other parties, and are involved in data processing, you need a data processing agreement.
Let’s start with the basics; what exactly defines data processing, who is a controller and what is a processor?
What is data processing?
Data processing is the act of processing data. The GDPR defines it quite broadly as an act or operation that gets performed on personal data.
Typically, data processing is the collection and processing of raw digital data to produce valuable information, it could also be:
-
Payroll administration
-
Posting images of people on your website
-
Sending promotional e-mails
-
Access to databases with personal data
What is a data controller?
A data controller is the organization or company that determines the purpose for which, and the way in which, personal data is processed.
For example, when our customers receive awareness training, most of our customers use our LMS platform, which is provided by efront. Efront is a third-party LMS platform provider that we use to provide our customers with our awareness training courses. You can of course also receive our courses on your own LMS platform.
In this case, we (CyberPilot) are the data controller, and the LMS platform is the data processor. We collect data about your employees and determine the use of it. The LMS platform then processes the data on our behalf according to the purpose of the data.
What is a data processor then?
A data processor is an organization or person that processes data on behalf of a data controller.
If you want to know more about data controllers and processors, you can read about it on our blog, where we’ve written a guide about everything you need to know as data controller and processor.
Now we’ve got the basics covered. We know what a data processor agreement is, what it consists of and that the GDPR requires it to be compliant. But when is it needed?
When is a data processor agreement required?
You need a data processing agreement (GDPR DPA) if you’re a data controller and you use a data processor, who is processing data on your behalf.
In fact, if you’re a data controller, you need a data processing agreement with every single one of your data processors who is processing data on your behalf.
Also, if you are a data processor and you use sub-processors, you need a data processing agreement with each of your sub-processors
-
A sub-processor is: A third party data processor who processes data on behalf of the data processor.
If any form of personal data is being exchanged between you (the controller) and the data processor, then a data processing agreement is required.
The GDPR requires that data controllers protect the personal data that they’re handling. This indicates that data controllers are responsible for making sure that their processors are also taking protective measures to protect that data.
That’s why it’s a good idea to look through your data processing agreement to see if everything is in order.
Common things that go wrong with data processing agreements
It’s always a good idea to review the data processing agreement for possible problems. The most common problems that might occur from a data processing agreement are:
The processor is processing more than asked for
-
The scope of how the processor processes personal data is greater than the data controller’s legal basis for processing personal data. Thus, they are not complying with the GDPR.
A lack of security measures
-
It’s your responsibility to make sure that your data processor has sufficient protective measures in place and is GDPR compliant. Make sure your data processor can ensure the security of personal data and guarantee confidentiality
Location and transfer of your data
-
You should make sure that your data stays inside the EU to avoid international transfer restrictions. You should check with your SaaS provider to implement a data localization policy if required.
Approval of sub-processors
-
Remember to check with your data processors if they’re using sub-processors. The GDPR requires that data processors notify you (the data controller) if any sub-processors are used.
It’s important that data controllers are selective when it comes to choosing data processors. It’s the data controllers’ responsibility to make sure their processors are abiding by the appropriate standards.
A great way to avoid some of these common problems of a data processing agreement is to have a checklist of what you need to include in a data processor agreement, we've got you covered.
Data processing checklist
We’ve gathered all the essential things that you need to have in order to have a data processing agreement that complies with the GDPR here.
We know that it might be quite overwhelming to form a data processing agreement on your own. That’s why we’ve gathered a couple of templates to help you get started.
Data processing agreement template
Different countries and their respective national data protection agencies have their own data processing agreement templates that you can use, and you are of course welcome to draft your own contract as well.
Here are some examples of data processing agreement templates that are free to download:
These of course must be adjusted to fit the use case of your own company. But these templates are a great starting point.
What we’ve learned
We hope you learned something useful about data processing agreements. A data processing agreement (GDPR DPA) helps you comply with the GDPR and ensure that the personal data you’re responsible for is being handled properly.
Here are some of the most important takeaways
-
A data processing agreement is required for GDPR-compliance.
-
A data processing agreement is required if personal data is being exchanged between parties.
-
Make sure that your data processor is processing the correct amount of data.
-
It’s a good idea to have a data processing checklist in place.
Another step in complying with the GDPR is by training your whole team with continuous awareness training. By doing this you create a strong cyber security culture in your organization.
