One of the key components of complying with the General Data Protection Regulation (GDPR) is having a Data Processing Agreement. A data processing agreement is a contract between a data collector and the third-party services they employ to process data.
In this article, you will find out what a data processing agreement is, what it looks like, and why your business might need one.
What Is a Data Processing Agreement?
A data processing agreement, also referred to as a data processing addendum, is a legal contract in which you determine the rights and obligations of the parties involved in the data processing.
Most of the time, that includes your business and third-party services you use.
Your business is the data collector, while any third-party company helping you collect and/or process data would be the data processor.
A GDPR data processing agreement helps assure users that you’re taking ownership of the data collection process, including how processors working on your behalf treat data.
Do I Need a Data Processing Agreement?
You may need a data processing agreement in order to avoid GDPR penalties for non-compliance.
According to Article 83 of GDPR, businesses that do not follow GDPR prescriptions risk paying fines up to $20 million or 4% of the global revenue (whichever is greater). In order to avoid those risks, it’s necessary to follow guidelines for GDPR compliance, including preparing a data processing agreement.
You need a data processing agreement if you meet the following qualifications:
- You have users in the European Economic Area (EEA).
- You collect or process user data.
- You use a third-party service to process data, or you provide third-party data processing services.
Data Processing Agreement Examples
Let’s look at a couple examples of data processing agreements to see how other companies meet the GDPR data processing agreement requirement.
Example 1: LinkedIn’s Data Processing Agreement
Take, for example, LinkedIn’s data processing agreement:
LinkedIn uses a minimalistic structure and ensures everything is short and to the point.
It’s not very user-friendly in terms of navigation, but it provides every part of the legal document in sufficient detail.
Example 2: Verizon’s Data Processing Agreement
Verizon Media’s DPA offers us another example:
The document is organized neatly, with headings on the left make it easy to navigate through the sections.
What to Include in a Data Processing Agreement
According to GDPR Article 28, Sec 3, there are eight important points on any DPA checklist:
- Data processor’s agreement to process data only on the written instructions of the data controller.
- The sworn confidentiality of those involved in the data processing.
- List of all measures that guarantee the security of the data.
- The controller must ensure the delegated functions of the data processor are not outsourced to another data processor without the knowledge and consent of the controller.
- The processor must assist the controller to comply with GDPR, in particular regard to their commitments to the data subjects’ rights.
- The processor must assist the controller to fulfil the duties in relation to compliance with GDPR, namely Article 32 (Security of Processing) and Article 36 (Prior Consulting).
- After the services have been terminated or the data has been returned to the controller, the processor must agree to delete every personal data.
- The controller is entitled to conduct an audit of the processor, who must provide all relevant information, if necessary.
This might seem like a lot, but there are a lot of examples on the web for you to gain some inspiration. You can also check out the templates on the GDPR official website.
Having a DPA is an important component of GDPR compliance. It helps you to avoid hefty fines, while also building up trust with your clients by demonstrating that you and your data processor(s) are responsible and trustworthy.
Check out the official GDPR data processing agreement template to get started on creating a DPA for your business.