Data protection laws require data processing agreements (or a data processing addendum or DPA) under certain circumstances and impose severe penalties where they aren’t in place. Let’s talk about how these agreements are required by law and what you can do to get them in place. If you process personal data together with others, you need an agreement to comply with the law.
If a party processes personal data for or on behalf of another, they need to sign a data processing agreement (DPA)
Some countries refer to them as operator agreements.
Data processing agreements are required by law
Data protection laws (such as the GDPR in the EU or POPIA) generally require that organisations processing personal data together enter into written agreements with one another. They often specify that:
- a controller has a data processing agreement in place with all their processors; and
- each processor has a data processing agreement in place with all their sub-processors.
Some even specify that such agreements must contain certain terms as a bare minimum. It is typically not sufficient to have an NDA (non-disclosure agreement), confidentiality clauses or few paragraphs dealing with data protection in an existing SLA or another contract. You generally need a whole separate agreement with specialized clauses that you may not have encountered before to comply with the law. DPAs generally do not deal with intellectual property generally or confidential information that is not personal information.
NDAs and DPAs are different agreements – don’t confuse them
People often refer to a DPA and it has two meanings. The first is data protection authority and the second is data processing agreement. Some people talk about a data processing addendum. This is used when there is an existing agreement and you want to add the necessary data protection clauses by adding an addendum to the existing agreement.
When you should sign one
Parties often sign an NDA at the beginning of exploring their relationship or the beginning of discussing a new transaction. This makes sense because each party might share confidential information with the other in order to explore opportunities. If each party can’t trust the other to keep what they share confidential, it will be a short conversation.
A DPA is usually signed later once the parties have formulated the relationship between them and most importantly identified whether one of the parties will be processing personal data for (or on behalf) of the other. If yes, you need a DPA.
You can be fined if you don’t have a DPA
These agreements existed before data protection laws required them and were essential in protecting controllers and data subjects by placing obligations on processors.
We see what happened when they weren’t in place in the 2018 Yahoo! UK Security Incident. In this case, ICO (the supervisory authority for the UK) fined Yahoo! UK £250 000 for failing to have an agreement with their US counterpart (amongst other failings) where the two organisations were sharing personal data with one another and there was a hack that compromised their customers’ personal data.
How we can help
- Know more about data processing agreements and get generic templates by joining our data protection programme.
- Make sure your agreements are in accordance with the law by asking Michalsons to do it for you. We can formulate, draft or negotiate a data processing agreement for you.
- Read more about contracts in a data protection context by reading the ICO guidance.
