Site icon

What is a Data Processing Agreement in GDPR?

Central to data protection in the EU is the GDPR and its data processing regulation. One of the most challenging aspects of GDPR is adjudicating the relationships between different parties handling data for various purposes–namely, relationships between managed service providers and the various, nebulous groups of organizations that use data for their daily operations. 

In this scenario, the Data Processing Agreement (DPA) concept is central to protecting data – a crucial contract that governs the relationship between data controllers and data processors. This article delves into the intricacies of GDPR-compliant DPAs, highlighting their significance and critical components.

What Is a Data Processing Agreement?

A Data Processing Agreement (DPA) is a legally binding agreement between a data controller and a processor maintained as part of their working relationship. GDPR mandates this agreement to ensure that the processing of personal data is done in a lawful, fair, and transparent manner, safeguarding the rights of the data subjects under regulations.

In the context of the GDPR, a “controller” and a “processor” are as follows:

In cases of DPAs, there is only one controller and one processor, even if the controller also acts as a processor in other situations. Additionally, a processor may subcontract to additional processors, with ramifications to the current and future DPAs (more on that later). 

This contract should also specify other obligations and rights, such as ensuring data confidentiality, assisting the controller in providing data subjects’ rights and implementing appropriate security measures required under EU regulations.

 

What Should a DPA Accomplish?

While a DPA is a legal agreement between two parties, it is expected to carry the weight of regulation and law about the parties within the contract. As such, the DPA is less a simple form of paperwork that companies need on records and more a clear delineation of responsibilities and obligations (similar to a Business Associate Agreement under HIPAA).

Generally, a DPA should spell out the following aspects of the working relationship between a controller and processor:

While these are broad categories overall, they have more significant ramifications for the specific tasks and processes a processor will engage in on behalf of a controller. 

 

What Is Required As Part of a Data Processing Agreement

It’s important to note that “processing” in these agreements means storing, manipulating, or transferring user information on behalf of the controller who engages with data subjects as customers or users. Much of the DPA stems from GDPR rules as they apply to these practices.

Under Article 28, when processing is to be carried out on behalf of a controller, the following requirements are imposed on controllers and processors as part of a data processing agreement:

Throughout these requirements, there are extensive mentions of other parts of GDPR, specifically articles 32 and 36:

 

Article 32, “Security of Processing”

Article 32 of GDPR addresses the technical and organizational measures that data controllers and data processors must implement to ensure the security of their personal data.

The main requirements highlighted under Article 32 include:


Article 36, “Prior Consultation”

Article 36 deals with situations where a data controller anticipates that a type of processing, especially using new technologies, will result in a high risk to the rights and freedoms of individuals. In such cases, the data controller must consult with the relevant supervisory authority before commencing the processing.

The main ideas in Article 36 include:

 

Make Sure You Meet Your Requirements as a Processor or Controller with Continuum GRC

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

And more. We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

[wpforms id= “43885”]

Exit mobile version