Data processing agreement (DPA)

A data processing agreement, or DPA for short, is an important document in data protection law that is required in many countries, including the European Union. In practice, a DPA is required when a company (client) commissions a third-party provider (contractor) to process personal data on its behalf, such as a store system that processes orders. This contract defines the responsibilities and requirements for data processing and data protection. The DPA ensures that both parties comply with data protection regulations and that personal data is processed securely and correctly (in accordance with Art. 29 GDPR).

Data processing agreements (DPAs) are very important because they play a central role in data protection. They protect the rights of the data subjects whose data is processed and define the obligations of both the client and the contractor. Without such a contract, you risk legal consequences and fines. Imagine how carefully you would handle house keys that someone entrusts to you. The same applies to people's personal data - it must be treated securely and confidentially.

Here are the main reasons why order processing contracts are essential:

1. Legal compliance: in the European Union and many other countries, an AVV is required by law. Without this contract, you can be in breach of both national data protection laws and the General Data Protection Regulation (GDPR) at EU level, which can lead to penalties.
2. Clear responsibilities: The DPA sets out exactly who is responsible for what. The DPA specifies how data is to be processed and protected.
3. Protection of data subjects: The DPA helps to protect the rights of individuals whose data is being processed and to ensure that their information is not misused or mismanaged.
4. Building trust: When companies entrust their data to another party, they want to be sure that everything is in order. The DPA is like a handshake that builds trust and shows that both parties understand and follow the rules.
5. Risk management: If something goes wrong (for example, a data breach), the DPA specifies who is responsible and how to handle the situation. It's like a contingency plan that ensures everything runs as smoothly as possible, even if problems arise.

In summary, the DPA is like a comprehensive plan that ensures that everything is done correctly in terms of data processing. It helps to ensure that laws are respected, people are protected, and business is conducted in an ethical and responsible manner. It is a crucial tool for building trust in the digital world.

A DPA must be concluded between the controller (the own company) and the processor (the service provider) in accordance with Art. 28 paragraph 3 of the GDPR. When creating a DPA you should include the following elements:

1. The nature and purpose of the processing: what data is being processed and why? It should be clear which personal data are processed and for what purpose.
2. Processor obligations: How should the processor handle the data? These obligations may include requirements for security, confidentiality, and compliance with the law.
3. Rights and obligations of the controller: What may and must the principal do? This could include the right to monitor processing, give instructions, and ensure that the processor complies with the requirements of applicable data protection law.
4. Technical and organisational measures: How will the data be protected? This part should describe the security measures taken to protect the data from loss, misuse, or unauthorised access.
5. Sub-processors: If the processor subcontracts to other companies, the DPA should regulate this. It must be clear under what conditions this is allowed.
6. Rights of data subjects: How are the rights of the people whose data are processed protected? The DPA should ensure that their rights, such as the right of access, rectification, and erasure, are respected.
7. Obligation to report breaches: What happens if something goes wrong? The DPA should specify how data breaches are to be reported and who is responsible for them.
8. Deletion and return of data: What happens at the end of the contract? The DPA should regulate how data is deleted or returned at the end of processing.
9. Monitoring rights and obligations: The DPA should also specify the rights of the controller to monitor the processor's compliance with the contract.

Processing of personal data

The processing of personal data includes handling this data, such as the collection, storage, use, or deletion. According to Article 4 of GDPR, processing includes, among other things

• Collection: Data is collected.
• Storage: Data is stored and backed up.
• Use: Data is used to provide services.
• Deletion: Data is securely deleted when it is no longer needed.

A data processing agreement contract is required if an external company processes personal data on behalf of another company.

Examples of this are

• Using cloud services: If you use Google Drive or Microsoft 365.
• Outsourcing payroll accounting: If external payroll offices take over payroll accounting.
• Hire call centers: For customer support or satisfaction surveys.
• Use newsletter services: Tools such as Mailchimp for sending newsletters.
• Commission IT service providers: Maintenance and support of IT systems by external service providers.

If your company uses external service providers for the processing of personal data, it is necessary to arrange a contract for the processing of personal data. This applies, for example, to areas such as payroll accounting, sales, and marketing.

When processing personal data, a distinction must be made as to whether a service provider is bound by instructions or acts independently. Examples of such professional groups would be tax consultants, banks, company doctors, and lawyers. Due to the fact that they are not bound by instructions, there is no need to conclude a contract processing agreement.

• The expertise of our experts: Our team of specialised lawyers knows the needs of each field and can give you the best advice.
• Time-saving: Instead of struggling through the jungle of paragraphs and laws, heyData manages in a few weeks everything that could take months.
• Continuous support: With heyData at your side, you always have a contact person for all questions regarding data protection.
• Individual solutions: Every company is unique - we offer tailor-made solutions for your individual requirements.

Summary

An order processing contract is essential for any business relationship in which personal data is processed by external service providers. It ensures that all legal requirements of the GDPR are met and protects both the data and the companies involved from legal risks. With a clear data processing agreement, the client and contractor can work together securely and in compliance with the law. Regardless of whether you are acting as a contractor or client - we provide comprehensive support in both cases.

Let our experts advise you! ➔