12# Data processors & Data Processing Agreements (DPA)

Hello there and welcome back to our series about the GDPR Requirements! Moving on from last week’s post on special category and criminal offence data, today, we’ll learn more about data processors. The two requirements we’ll discuss entail that you, as, the controller, need to do ‘due diligence’ on processors and sub-processors as well as govern your processors through contracts; data processing agreements (DPA).

1. Due diligence of data processors

You may only use processors that provide sufficient guarantees to implement appropriate technical and organisational measures, to ensure accountability and security. This means that you have to run ‘due diligence’ checks on the processors you engage – both before you enter into a contract and afterwards. The check should be proportionate to the risk of the processing and is done to ensure compliance with the DPA, GDPR and instructions.

Processors must provide the controller with information on the processing operations and contribute to audits and inspections conducted by the controller or auditor of choice. Depending on the level of risk of the processing, the processor would usually demonstrate their compliance by providing documentation, such as their privacy policy, terms of services and international certifications. In any case, to demonstrate their risk level, the processor should provide information about:

• the functioning of their systems,
• security measures in place,
• data locations,
• any transfers of data and how the processor is compliant with the rules of transfers,
• who has access to data and who the recipients are

If there are any sub-processors, they must provide you will all of the information above. You also have to include sub-processors in your due diligence.

To select your data processors, you can look at factors such as reputation, financial conditions, mechanisms of secure data transfers etc. Whether guarantees are sufficient depends on the processing, which means you have to do a case-by-case risk assessment for each new processor you engage. The risk assessment should include aspects such as the nature, scope, and context as well as the purposes of the processing and the risks for the rights and freedoms of natural persons. You should also consider the processor’s expert knowledge, reliability and resources as well as that the level of guarantees ensured by the processors does not weaken over time.

If your selected processor decides to engage any sub-processors, you have to give written authorisation to the processor before they do so. The processor is then fully liable to you for the performance of the sub-processor’s obligations. Remember, however, that you’re the one who is overall accountable for the data processing. Therefore, you should fully understand the ‘processing chain’ from the initial processor to the last sub-processor to the data is transferred. Your processors need to subject themselves to inspections, either remote or on-site, which could include reviews of data security and the protection of data subjects’ rights. You have the possibility to request subsequent measures to ensure that potential shortcomings and gaps are handled appropriately. For further information about the concept of controllers and processors in the GDPR, and the liabilities between them, for the EU/EEA, take a look at the EDPB Guidelines and, for the UK, ICO Guidelines.

At DPOrganizer, our vendor assessments template and us in the Professional Services team can help you to do the due diligence on your potential processor and sub-processor.

2. Data Processing Agreements (DPA)

The Regulations prescribe that every controller-processor relationship should be governed, and the most common way is through contracting. This type of contract is often called Data Processing Agreement (DPA). It should bind the parties in such a way that some aspects concerning the processing activity are stipulated and risks are mitigated. Therefore, when you’re done with the due diligence of your processors, you need to make sure that a DPA is put in place. Any sub-processors need to be governed by a contract with the initial processor which contains essentially the same obligations as the DPA between you and the processor.

So, let’s break down the content of the contract. The agreement has to, with a high level of specificity, set out:

1. the subject matter of the processing, such as video surveillance recordings of people entering and leaving a high-security facility
2. duration of the processing
3. the nature and the purpose of the processing
4. the types of personal data. In case there are special categories of data, the agreement should specify which types of data are concerned
5. the data subject categories, such as customer, employees etc.
6. your rights and obligations as a controller.

In addition to this, the DPA also regulates your processor:

• only acts on your documented instructions, unless it’s required by law to act without your instructions. As a matter of best practice, you should regulate the issue of the cost related to the inspections in the DPA.
• is subject to a duty of confidentiality, including all those who take part in the processing, like employees and contractors
• take measures to ensure the security of the processing. The DPA would include information on the security measures you agreed upon, an obligation to obtain your approval before any changes, and periodic reviews of the security measures to ensure their appropriateness concerning risks over time
• may only engage a sub-processor after you’ve given written authorisation. If you’ve used a general authorisation, the processor has to inform you of any change of sub-processors and allow you to object
• must contractually oblige a sub-processor to perform the same data protection obligations as they are under the DPA
• to assist you in responding to data subjects’ requests
• deletes or returns, on your choice, all personal data to you at the end of the contract, unless the EU/EEA, Member State or UK domestic law requires further storage
• contribute to audits and inspections and give you whatever information you need to ensure you are meeting your obligations under the Regulations and the DPA. That includes details on how often and by what means the information between the processor and you should be transferred so that you are fully informed as to the details of the processing

As for the EU Regulation, the Commission has adopted standard contractual clauses (SCCs) for controller-processor relationships within the EEA. These are “ready-made” and easy to implement into commercial arrangements like contracts for goods and services. If you use the SCCs correctly, you will live up to the requirement of governing the controller-processor relationship via contract and the necessary content would be in the contract.

All DPAs can be uploaded in DPOrganizer’s tool for each processing activity, and accessed in the document manager. Our Professional Services team can help you create a suitable DPA for your processors.

That’s all for today regarding data processors and DPAs. Don’t hesitate to reach out to our Professional Services team for further assistance with your privacy management or connect with your privacy peers at the Q&A forum Watercooler by DPOrganizer. Next week, Albin (albin.thelin@nulldporganizer.com) will go through the rules on data transferring to third countries. Until next time!