Data Processing Agreement (DPA) - heyData

Reduce GDPR complexity with heyData

Data processing agreement (DPA)

You no longer have to worry about GDPR-compliant data processing agreements. We are at your side, professional and uncomplicated.

  • check Consultation with specialised lawyers
  • check Support with all compliance-related topics, documentation, staff training, etc.
  • check An offer tailored to your specific needs

What is a data processing agreement (DPA)?

A data processing agreement, or DPA for short, is an important document in data protection law that is required in many countries, including the European Union. In practice, a DPA is required when a company (client) commissions a third-party provider (contractor) to process personal data on its behalf, such as a store system that processes orders. This contract defines the responsibilities and requirements for data processing and data protection. The DPA ensures that both parties comply with data protection regulations and that personal data is processed securely and correctly (in accordance with Art. 29 GDPR).

Why are data processing agreements so important?

Data processing agreements (DPAs) are very important because they play a central role in data protection. They protect the rights of the data subjects whose data is processed and define the obligations of both the client and the contractor. Without such a contract, you risk legal consequences and fines. Imagine how carefully you would handle house keys that someone entrusts to you. The same applies to people's personal data - it must be treated securely and confidentially.

Here are the main reasons why order processing contracts are essential:

  1. Legal compliance: in the European Union and many other countries, an AVV is required by law. Without this contract, you can be in breach of both national data protection laws and the General Data Protection Regulation (GDPR) at EU level, which can lead to penalties.
  2. Clear responsibilities: The DPA sets out exactly who is responsible for what. The DPA specifies how data is to be processed and protected.
  3. Protection of data subjects: The DPA helps to protect the rights of individuals whose data is being processed and to ensure that their information is not misused or mismanaged.
  4. Building trust: When companies entrust their data to another party, they want to be sure that everything is in order. The DPA is like a handshake that builds trust and shows that both parties understand and follow the rules.
  5. Risk management: If something goes wrong (for example, a data breach), the DPA specifies who is responsible and how to handle the situation. It's like a contingency plan that ensures everything runs as smoothly as possible, even if problems arise.

In summary, the DPA is like a comprehensive plan that ensures that everything is done correctly in terms of data processing. It helps to ensure that laws are respected, people are protected, and business is conducted in an ethical and responsible manner. It is a crucial tool for building trust in the digital world.

What must a data processing agreement (DPA) include?

A DPA must be concluded between the controller (the own company) and the processor (the service provider) in accordance with Art. 28 paragraph 3 of the GDPR. When creating a DPA you should include the following elements:

  1. The nature and purpose of the processing: what data is being processed and why? It should be clear which personal data are processed and for what purpose.
  2. Processor obligations: How should the processor handle the data? These obligations may include requirements for security, confidentiality, and compliance with the law.
  3. Rights and obligations of the controller: What may and must the principal do? This could include the right to monitor processing, give instructions, and ensure that the processor complies with the requirements of applicable data protection law.
  4. Technical and organisational measures: How will the data be protected? This part should describe the security measures taken to protect the data from loss, misuse, or unauthorised access.
  5. Sub-processors: If the processor subcontracts to other companies, the DPA should regulate this. It must be clear under what conditions this is allowed.
  6. Rights of data subjects: How are the rights of the people whose data are processed protected? The DPA should ensure that their rights, such as the right of access, rectification, and erasure, are respected.
  7. Obligation to report breaches: What happens if something goes wrong? The DPA should specify how data breaches are to be reported and who is responsible for them.
  8. Deletion and return of data: What happens at the end of the contract? The DPA should regulate how data is deleted or returned at the end of processing.
  9. Monitoring rights and obligations: The DPA should also specify the rights of the controller to monitor the processor's compliance with the contract.

Processing of personal data

The processing of personal data includes handling this data, such as the collection, storage, use, or deletion. According to Article 4 of GDPR, processing includes, among other things

  • Collection: Data is collected.
  • Storage: Data is stored and backed up.
  • Use: Data is used to provide services.
  • Deletion: Data is securely deleted when it is no longer needed.

When do I need a data processing agreement?

A data processing agreement contract is required if an external company processes personal data on behalf of another company.

Examples of this are

  • Using cloud services: If you use Google Drive or Microsoft 365.
  • Outsourcing payroll accounting: If external payroll offices take over payroll accounting.
  • Hire call centers: For customer support or satisfaction surveys.
  • Use newsletter services: Tools such as Mailchimp for sending newsletters.
  • Commission IT service providers: Maintenance and support of IT systems by external service providers.

Who needs a data protection agreement?

If your company uses external service providers for the processing of personal data, it is necessary to arrange a contract for the processing of personal data. This applies, for example, to areas such as payroll accounting, sales, and marketing.

When processing personal data, a distinction must be made as to whether a service provider is bound by instructions or acts independently. Examples of such professional groups would be tax consultants, banks, company doctors, and lawyers. Due to the fact that they are not bound by instructions, there is no need to conclude a contract processing agreement.

heyData – your partner to become GDPR compliant!

  • The expertise of our experts: Our team of specialised lawyers knows the needs of each field and can give you the best advice.
  • Time-saving: Instead of struggling through the jungle of paragraphs and laws, heyData manages in a few weeks everything that could take months.
  • Continuous support: With heyData at your side, you always have a contact person for all questions regarding data protection.
  • Individual solutions: Every company is unique - we offer tailor-made solutions for your individual requirements.

Summary

An order processing contract is essential for any business relationship in which personal data is processed by external service providers. It ensures that all legal requirements of the GDPR are met and protects both the data and the companies involved from legal risks. With a clear data processing agreement, the client and contractor can work together securely and in compliance with the law. Regardless of whether you are acting as a contractor or client - we provide comprehensive support in both cases.

Let our experts advise you! ➔

Contact heyData now and let us clarify your AVV in an uncomplicated way!

Hear it From Our Customers

"heyData impressed us with their digital software solution and expertise. Like us, heyData is a digital pioneer in a rather traditional and less digital industry. heyData is a strong partner for the BRZ Group."

Markus Schobert

Head of Customer Service at BRZ Gruppe

"heyData is a great help for us and makes the topic of data protection really easy. We are very satisfied with the digital audit, the online training and the customer support."

Leonard von Kleist

CTO & Co-Founder at Hive Technologies GmbH

"I value this feature for its ability to simplify supplier risk assessment. It is an indispensable tool for anyone dealing with data compliance in the European Union and Switzerland."

Jan Stephan

Head of Legal Affairs at Learnship

"As a customer, we have only had good experiences with heyData's support and communication. Questions were answered in detail, responses were always prompt and personal 1-1 support is also no problem."

Roman Georgi

Director Of Customer Support at AMBOSS

“What sets heyData apart is its responsiveness and rapid implementation.”

Sandra Scherzer

Legal department at Bioland

"We always receive competent and prompt advice from heyData and have so far been able to find a satisfactory solution to every question relating to the GDPR or data protection in general."

Nikolai

CTO at Instaffo GmbH

The controller is the person or organisation that determines the purposes and means of data processing. The processor is the person or organisation that processes personal data on behalf of the controller.

A DPA is required whenever a controller transfers personal data to a processor. This applies to services such as cloud storage, IT support, payment processing, and other processing activities for personal data.

Yes, according to Article 28 paragraph 9 of the General Data Protection Regulation, DPAs may be concluded in writing or in electronic form.

The absence of a lawful DPA between controller and processor may constitute a breach of the GDPR and lead to legal consequences, including fines.

The GCU should be stored for as long as the data processing between the controller and processor continues and beyond that for a reasonable period of time to demonstrate compliance with the GDPR.

Yes, but this requires the explicit authorisation of the controller and clear rules on the responsibilities and data protection obligations of the sub-processor.