Data processing agreements are required by law

///Data processing agreements are required by law

Data protection laws require data processing agreements under certain circumstances and impose severe penalties where they aren’t in place. Let’s talk about how these agreements are required by law and what you can do to get them in place.

Data processing agreements are required by law

Data protection laws (such as the GDPR in the EU or POPIA in South Africa) generally require that organisations processing personal data together enter into written agreements with one another. They often specify that:

  • a controller has a data processing agreement in place with all their processors; and
  • each processor has a data processing agreement in place with all their sub-processors.

Some even specify that such agreements must contain certain terms as a bare minimum. It is typically not sufficient to have a NDA (non-disclosure agreement), confidentiality clauses or few paragraphs dealing with data protection in an existing SLA or other contract. You generally need a whole separate agreement with specialized clauses that you many not have encountered before to comply with the law.

You can be fined if you don’t have one

These agreements existed before data protection laws required them and were essential in protecting controllers and data subjects by placing obligations on processors.

We see what happened when they weren’t in place in the 2014 Yahoo! UK Security Incident. In this case, ICO (the supervisory authority for the UK) fined Yahoo! UK £250 000 for failing to have an agreement with their US counterpart (amongst other failings) where the two organisations were sharing personal data with one another and there was a hack that compromised their customers’ personal data.

You need this agreement

If you process personal data together with others, then you need an agreement to comply with the law. We can help you by:

You can read more about these agreements generally here.

You can watch a video about it here

By |2019-08-07T13:04:03+02:00June 25th, 2019|Categories: IT Law, POPI and Data Protection|