All About GDPR Data Processing Agreements!
What is a Data Processing Agreement?
A Data Processing Agreement is a legally enforceable contract between a data Controller and a data Processor. The Data Processing Agreement stipulates for what purposes and to what extent can the Processor process data on behalf of the Controller.
What is a Data ‘Controller’?
A data ‘Controller’ is the person or entity that determines the purpose and means of data processing.
What is a Data ‘Processor’?
A data ‘Processor’ is the person or entity who processes the data on behalf of the Controller and in accordance with the Controller’s
Often, a company or entity who collects data directly from a data subject will be the ‘Controller’ of that data. For example, an employer may be considered a ‘Controller’ of employee personal data, and a ‘Processor’ in this situation may be a third-party payroll company.
Do I need a Data Processing Agreement?
The GDPR imposes strict obligations on Controllers in relation to processing activities involving Personal Data. According to Article 25 of the GDPR, it is the Controller that must ensure that it is able to demonstrate that processing is performed in accordance with the GDPR. Further, Controllers must ensure that any third-party processors it has employed are processing Personal Data in a manner that is consistent with the obligations of Processors under the GDPR.
Importantly, under Article 28 of the GDPR, the Controller must enter a legally binding contract with any Processors that it engages for the purpose of processing Personal Data. This obligation similarly applies Processors where they engage another Processor to perform some function of the processing activities.
For example, if a Processor outsources some of the processing activities to another Processor i.e. a sub-Processor, then the Processor must enter into a legally binding contract with that sub-Processor. In addition, the Processor must seek written authorisation from the Controller before engaging the sub-Processor.
What should be included in a Data Processing Agreement?
A Data Processing Agreement must set out the purpose and duration of the processing; the subject-matter and type of data being processed; who are the relevant data subjects and what are the rights and obligations of the Controller and the Processor respectively.
Additionally, Data Processing Agreements should cover the following:
- the legal basis for the processing of Personal Data;
- whether the Controller has authorised the international transfer of Personal Data under any circumstances, if so what are the protections required under the agreement and the GDPR;
- access to Personal Data, including issues of confidentiality and processing of Sensitive Data;
- that the processing of Personal Data complies with the security measures as set out under Article 32 of the GDPR;
- how the Processor must respond to Personal Data access requests by data subjects;
- how the Processor must deal with, and respond to, data breaches concerning Personal Data;
- compliance requirements such as reporting and audits.
The above is provided and intended as a guideline only and does not cover the entirety of factors that should be considered under a Data Processing Agreement.
Take-away points
- The GDPR contains important obligations for Processors and Controllers that may impact on data processing activities;
- A Data Processing Agreement is essential for Controllers and Processors where a third-party Processor (or sub-Processor) is engaged;
- Controllers should seek assurance that Processors are bound by a written Data Processing Agreement that ensures the protection of Personal Data.
Sam Gilbert, IP and Technology Consultant, B.A., LL.B University of Technology, Sydney
If you would like to know more about Data Processing Agreements or the GDPR, please do not hesitate to get in contact with the team at W3IP Law on 1300 776 614 or 0451 951 528.
Disclaimer. The material in this post represents general information only and should not be taken to be legal advice.
