Data Processing Agreement: why is it important to conclude it and what conditions should be stipulated?

To run the business and optimize personal data processes almost each company (the “controller” ) engages third parties – processor(s) , who process personal data on behalf of and for the controller in order to provide relevant services.

To transfer personal data within an described relationship, the parties should enter into a “Data Processing Agreement” or “DPA”. This agreement is a legal  requirement of the European data protection laws (specifically the General Data Protection Regulation 2016/679 (GDPR)), and is also mandated by a number of other jurisdictions (such as Brazil (LGPD), United Kingdom (GDPR UK), etc.).

Gamedev companies typically need to enter into a DPA when outsourcing processes that involve processing of personal data. For example, they engage (i) third-party developers who have access to personal data of game users, (ii) advertising companies that display advertisements in the app, or (iii) marketing companies that sends promotional emails to users (about new features in the app, company news, other), and in other cases where one company processes personal data on behalf of and for another company.

When drafting a DPA, companies often face questions regarding the conditions, which are sufficient and correspond with GDPR requirements, the form of the DPA conclusion and other legal considerations. 

We suggest reading this article to make sure you don’t miss important points when drafting a DPA and use the checklist below to check the DPAs you have already signed with contractors for the minimum required provisions. 

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law (Art. 4(7) of GDPR).

 Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Art. 4(8) of GDPR).

Why is it important to enter into a DPA?

There are many reasons why it is necessary to enter into a DPA in addition to the fact that having a DPA is a direct legal requirement. 

When organizing the personal data processing, the controller determines the basic criteria for such processing. This means that the controller is responsible for the use, security and confidentiality of personal data, as well as for the consequences of potential personal data breach.

That is why where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures (Art. 28(1) GDPR).

Thus, it is in the best interests of the controller to enter into a DPA to regulate the procedure of personal data processing by the processor: what the processor can do, what personal data it receives and what mandatory data protection measures it must take. Thereby the controller will first of all protect himself, because in case the processor violates the personal data processing requirements and the personal data of the subjects are leaked, the controller will be liable to them. 

What are the consequences of not having and/or incorrectly drafted DPAs?

The absence of a DPA constitutes a violation of GDPR, upon detection of which supervisory authorities are entitled to apply various types of corrective powers.

The full list of corrective powers is set out in Art. 58 GDPR. These include issuing warning about violation of GDPR requirements, requiring data processing operations to be aligned with the personal data protection requirements and, finally, imposing an administrative fine, which is very significant for companies, as the size of the fine can be quite impressive.

For the absence of a DPA, a company may be subject to an administrative fine of up to €10,000,000 or up to 2% of the total worldwide annual turnover of the preceding financial year (whichever is higher).

Some cases and fines:
  • Lazio Region engaged contractors to organize the work of call centers without a DPA conclusion. Lazio Region was fined EUR 75,000 by the Italian supervisory authority for this violation.
     
  • Dedalus Biologie SAS, a provider of software for medical analytical laboratories, was fined EUR 1,500,00 for a number of violations, among which were (1) override the controller’s instructions (Dedalus Biologie SAS collected excessive personal data), (2) lack of all necessary technical and organizational data protection measures (no encryption of personal data was available, etc.), (3) the contractual documentation, in force with its customers, didn’t contain the terms required by Art. 28 GDPR.
     
  • Isweb S.p.A., an IT company and provider of a whistle-blowing management system, was fined EUR 40,000 for failing to formalize its relationship with the hosting provider to which it delegate the personal data processing.

In what form should a DPA be concluded?

The form of  the DPA may vary depending on relationship between the controller and the processor, and whether the personal data processing parameters (purpose of processing, data retention period, list of data, other obligations) differ. Typically, two main forms of the DPA conclusion are used:

  • written form – used when the processor’s personal data processing has specific characteristics. 

    For example, a company that develops and publishes mobile applications may engage one contractor for technical support services and another contractor for targeted advertising. The order of data processing by such contractors is different as the main criteria of data processing differs depending on the services provided. In such a case, it is reasonable to enter into different DPAs in writing with each particular processor.
     
  • public offer form – used when the parameters of personal data processing are the same. 

    For example, it is reasonable to use this option when a company provides the same services to all counterparties. Thus, the data processing procedure doesn’t change when a new contract is concluded and it is impractical to sign a separate DPA with each counterparty. Therefore, in such a case, it is possible to draft and place on the company’s website a standard form of a DPA that will apply to all counterparties using their services.

Minimum conditions that must be set forth in a DPA

The legislation does not contain a complete list of conditions to be set forth in a DPA. In such a case, the parties have a certain freedom to choose the conditions when negotiating them. However, the GDPR contains a minimum list of conditions and obligations of the parties that must be set forth in a DPA (Art. 28 GDPR). 

Below outlined a checklist with basic conditions that need to be included in the text of a DPA.

1.  A DPA must contain a description of the following processing details:
  • subject-matter and duration of the processing,
  • nature and purpose of processing,
  • type of personal data,
  • categories of data subjects,
  • rights and obligations of the controller.
2. A DPA must provide for the following obligations of the processor:
  • processing of personal data only on the basis of documented instructions from the controller.

The controller's instructions may be formalized in various methods, such as via e-mail, CRM systems, in the text of the DPA. At the same time, the DPA must explicitly state that the controller, not the processor, controls over the personal data processing.

If the processor overrides the instructions, the processor may be deemed a controller for that specific processing and will assume the related responsibilities and liabilities under GDPR . 

One of the most common examples when the processor overrides the controller’s instructions is the personal data processing after the expiration data retention period set by the controller. In such a case, from the moment of expiry of the data retention period, the processor must independently assess the lawfulness of further processing, including determining the purpose of such processing, legal basis, etc. 

  • guarantee that persons authorised to process personal data are under an obligation of confidentiality.

Such an obligation shall apply to employees and other individuals of the processor who have access to the controller’s personal data. The confidentiality obligation may arise either from contractual obligations with employees (contractors) or as a result of legal requirement. 

  • implementation of appropriate information security measures, as well as technical and organizational measures of personal data protection.

Such measures include, in particular, encryption, pseudonymisation; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, etc. A full list of such measures is set out in art. 32 of GDPR.

  • compliance with the terms of sub-processor engagement.

The GDPR allows the processor to engage third-parties (the “sub-processors”) for  personal data processing. For example a company (controller) may engage an advertising agency (processor) to handle marketing activities such as advertising campaigns and user marketing mailings. In turn, the advertising agency may engage another company to assist with marketing mailings for the controller, which would be considered a sub-processor under the meaning of the GDPR.

In order to engage sub-processors, the following conditions must be set forth and fulfilled to in the DPA:

  1. engagement of a sub-processor only with prior specific or general written authorisation of the controller;
  2. if a sub-processor is engaged on the basis of a general written authorisation, the controller must have legal mechanisms to object to the engagement of a sub-processor; 
  3. where a sub-processor is engaged, the same data protection obligations as set out in the contract or other legal act between the controller and the processor shall be imposed on that sub-processor by way of a contract or other legal act;
  4. the processor is responsible to the controller for the sub-processor's compliance with the data protection obligations. 
  • assisting the controller in fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights.

A DPA should define the procedure for interaction between the controller and the processor when considering the data subjects’ requests to exercise their rights under the GDPR. For example, the DPA may specify that the processor is not permitted to respond to the data subjects’ requests, and is also may establish the processor’s obligation to take appropriate technical and organizational measures to assist the controller in responding to the personal data subjects’ requests. 

  • assistance to the controller in fulfilling the obligations under Art. 32-36 GDPR.

The GDPR imposes several obligations on the controller to ensure the data (e.g. notifying personal data subjects and the supervisory authority of data breaches, conducting a Data Protection Impact Assessments (DPIA), etc.). A DPA should clearly set out how the processor should assist the controller in fulfilling these obligations.

  • termination of personal data processing upon expiration of the processing period. 

The DPA must contain a condition that the processor must delete or return all the personal data to the controller upon expiration of the data retention period and delete existing copies.

  • enabling the controller to audit compliance with the GDPR requirements and DPA conditions.

The following processor’ obligations are a mandatory requirement for a DPA:

  • the obligation to make available to the controller all information necessary to demonstrate with the obligations set out in Art. 28 GDPR are fulfilled; and
  • the obligation to authorize and facilitate audits and inspections by the controller or an auditor appointed by the controller.

A DPA is a key document for defining the framework of the relationship between controllers and processors, and as such, it requires careful attention during its drafting.

Contact our legal team to learn more

Write to lawyer

Dear journalists, the use of materials from the REVERA website in publications is possible only with our written permission.

To coordinate materials, contact us at e-mail: i.antonova@revera.legal or Telegram: https://t.me/PR_revera