Data Processing Agreements (DPAs) – heyData creates transparency
Introduction
In day-to-day business, a Conclusion of a Data Processing Agreements (DPAs) is a measure that is intended to strengthen consumer data protection due to the new, stricter EU requirements. If personal data is forwarded to third parties and processed, a so-called DPA is often concluded. The need for an DPA contract arises from a classic scenario. If a company (client) commissions another company (contractor) to view and process personal data, the responsibility for this data lies with the client. The contractor must at all times provide all necessary guarantees in accordance with Article 28 of the General Data Protection Regulation (GDPR). This article states that the processing of personal data may be carried out on behalf of the controller. Improper processing of personal data can lead to fines and a loss of image!
When is an DPA necessary?
The need for an DPA arises from a classic scenario. If a company (client) commissions another company (contractor) to view and process personal data, the responsibility for this data lies with the client. The contractor must at all times provide all necessary guarantees in accordance with Article 28 of the General Data Protection Regulation (GDPR). This article states that the processing of personal data may be carried out on behalf of the controller. Improper processing of personal data may result in fines and a loss of image!
Which data are considered personal?
Personal data is information that makes a person identifiable. On the Internet, we often come across the following data queries:
- Name
- address
- E-mail contact information
- telephone numbers
- Account / credit card information
- Dates of birth
- IP addresses
- Physical characteristics
- Certificates or attestations
This is therefore very sensitive data. When processing this information, care must always be taken to determine whether external access is absolutely necessary for the performance of an activity.
Is the transfer of personal data to a business partner always commissioned processing?
No, from a legal point of view, commissioned processing only exists if the processing of personal data is carried out on behalf of the client and forms the main core of the agreed service. Commissioned services that do not mainly cover the area of data processing do not require the conclusion of an DPA.
Practical example:
- A company providing maintenance of a printer (physical hardware, not software) does not usually require the conclusion of a contract processing agreement, because the core of the service provided is not the processing of personal data, but the maintenance of a device.
- Confidential holders such as auditors or tax consultants are also not required to conclude a GCP. These professional groups are bound to secrecy by profession and therefore do not need an DPA.
In contrast, an advertising agency that sends out advertising flyers on behalf of a company and uses personal data such as postal or e-mail addresses, for example, must conclude a GDPR because the agency receives the address data from the client and must process it.
Other examples of a necessary DPA are:
- Outsourcing of email management
- External data collection
- External backups
- Data carrier disposal
- External call center
Of course, it is difficult to precisely define the need for an DPA, and the boundaries often overlap. One important indicator of the need for an DPA contract is the authority to give instructions. If the external service provider is not authorized to decide freely on the performance and nature of the service, there is a binding of instructions to the client, and this makes an DPA contract mandatory.
Consulting services on the DPA contract? heyData is your reputable partner!
Regarding the administration of an DPA contract, heyData keeps track of everything. We provide you with legally compliant contract templates and are happy to advise you!
We support you as a client in the following points:
- Provision of a legally compliant order processing contract
- Advice on possible risks with the individual service providers
- Monitoring of compliance with data protection obligations by the contractors
We support contractors in the following points:
- Advice on the correct structuring of cooperation with clients in accordance with data protection law
- Drafting of a legally secure order processing contract
- Instructions on the correct implementation of the obligations arising from the GCU
heyData brings light into the darkness - The contents of the DPA contract
Drawing up an DPA contract (DPA DSGVO) causes difficulties for many companies, as there are many details to consider. heyData is your competent partner when it comes to the correct and data protection-compliant drafting of your DPA contract.
The following points have to be considered for an DPA contract:
1. Clarity of the contracting parties
The GC must name the client and the contractor (data processing party).
The object of the contract and the purpose of the processing of personal data must be defined here. The groups of persons concerned must also be named. To save space, this information can also be listed in an attachment.
2. Obligation of the client.
The principal has the constant responsibility for the processing of personal data and must protect the rights of the data subjects. He appoints persons authorized to give instructions. Irregularities or processing errors shall be written down.
3. Contractor obligations.
The contractor may only process data defined in the service agreement. In the event of a legal violation, the client must be informed immediately. The obligations of the contractor represent the core of an DPA, since data is handled in this processing area.
4. The Data Protection Officer.
If there is an external or internal data protection officer, this information will be included. Consultation with a data protection officer is recommended - heyData will be happy to advise you on this topic.
5. Reporting obligations of the contractor.
The contractor must guarantee compliance with data protection. In case of violations of the GDPR or other contractual obligations, the client must be notified immediately.
6. Cooperation of the Contractor.
The Contractor shall be obliged to support the Client in all areas relating to the processing of data. This shall include the handling of requests relating to the exercise of data subject rights and the preparation of processing lists.
7. Data protection control
The Client is legally authorized to check compliance with the GDPR at any time. An inspection at the Contractor's business premises shall be made possible.
8. Definition of a subcontracting relationship.
If the contractor is contractually permitted to employ a subcontractor, this must be written down in detail.
9. Confidentiality
Deut Contractor and its employees are obliged to maintain confidentiality when personal data is processed. The client's confidentiality rules must be observed.
10. Rights of data subjects.
According to Art. 12-23 GDPR, the client is obliged to process requests from data subjects. The Contractor is placed under the obligation to support the Client in this regard.
11. Disclosure of measures
The contractor is obliged to disclose all technical and organizational measures.
12. Duration of Cooperation
The start and termination of the contractual relationship is defined. Termination modalities are recorded.
13. Termination of the cooperation
Documents, data and all further results are to be handed over to the client or also deleted.
14. Closing clause
Defined final provisions are recorded.
Conclusion
In conclusion, a Data Processing Agreement (DPA) is an important measure to ensure data protection when processing personal data. You should be aware that the transfer of data to third parties and its processing can involve significant legal and financial risks if adequate safeguards are not in place.
An DPA regulates your rights and obligations as well as those of the contractor, thus creating transparency and legal certainty. It specifies how the data will be processed, what security measures must be taken, and how to deal with data breaches.
It is important that you carefully consider the need for an DPA and make sure that you work with trustworthy and reliable contractors. A reputable partner like heyData can assist you in creating and implementing an DPA and ensure that all legal requirements are met.
Protecting personal data is crucial in today's digital world. You need to make sure that you respect your customers' privacy and take all necessary measures to protect their data. A well-structured and comprehensive DPA is an important step in this direction.
If you have any questions about data protection and order processing contracts, heyData is happy to help. Trust our expertise and let's work together to make sure your data is safe and secure.
Do you have questions about data protection and DPAs? - heyData will be happy to advise you - Contact us!
More articles
5 Powerful Alternatives to Passwords for Business Security
As cyber-attacks surged by 30% in 2024, businesses are turning to passwordless authentication to enhance security. Traditional password-based methods, which are vulnerable to credential theft, phishing, and human error, are increasingly insufficient. In contrast, passwordless methods offer enhanced protection and convenience. Some alternatives include biometric authentication, hardware-based solutions, token-based methods, Public Key Infrastructure (PKI), and mobile device authentication. These approaches improve security, reduce costs, and provide better user experiences.
Learn more8 Steps to Ensure GDPR Compliance for SaaS Companies
GDPR compliance is essential for SaaS companies operating in the EU, protecting personal data and building trust. Non-compliance risks include fines up to €20 million, reputational damage, slower product development, and legal issues. To ensure compliance, businesses should conduct data audits, appoint a Data Protection Officer, adopt privacy-by-design principles, implement consent management systems, manage data subject requests effectively, strengthen security, review vendor agreements, and prepare a breach response plan. These steps enhance trust, ensure compliance, and provide a competitive advantage.
Learn moreNavigating AI Compliance: A Guide for Startups
The EU AI Act requires startups to document AI systems, assess risks, and train employees. Our guide breaks down key steps—from AI inventory to risk assessment. Using CrediScore-AI as an example, we showcase how a fintech startup successfully navigated compliance by classifying systems by risk and providing targeted training.
Learn more