What Is A Data Processing Agreement And When Do You Need One

• Jurisdiction: European Union
• Law Firm: Logan & Partners
• Subject Matter: Privacy, Compliance, Data Protection
• Author: Ms Anna Levitina
• Published date: 03 March 2023

Data processing has become an integral part of business operations. With the increased use of cloud-based services and outsourcing, companies must understand the roles of data controllers and data processors and the legal agreement between them, known as a Data Processing Agreement (DPA).

In this article, we will dive deep into the responsibilities of data controllers and data processors, explore real-life examples of their roles, and discuss the importance of having a DPA to ensure compliance with the European data protection regulation (GDPR). A fine for non-compliance may cost you up to '20 million, or up to 4% of the annual global turnover of the preceding fiscal year, whichever is higher. Whether you're a business owner, a data professional, or simply curious about how personal data is managed, this article is a must-read to understand data processing and its legal implications. So, let's begin!

Data Controller or Data Processor?

The data controller and the data processor are the two main players in the personal data processing. The data controller determines the purpose and means of processing personal data, while the data processor carries out the data processing on behalf of the data controller.

The responsibilities of each differ. On the one hand, the data controller is primarily responsible for ensuring personal data is processed in compliance with the GDPR. For example, this includes obtaining valid consent, processing data lawfully, and providing data subjects with access to their data when requested.

On the other hand, the data processor is responsible for processing personal data according to the data controller's instructions and supporting the data controller in meeting their obligations. This means implementing appropriate technical and organisational measures to protect the data, informing the data controller of any data breaches, and helping the data controller fulfil their obligations to data subjects.

Data Processing Agreement

A data processor must have a contract with their data controller to comply with the GDPR, which should be in the form of a legally binding agreement, a DPA, outlining each party's roles and responsibilities concerning processing personal data.

Here are some typical situations when a DPA is necessary. If you answer YES to at least one of these questions, then you need a DPA.

• Do you use or provide cloud services?
• Do you hire an IT service provider to maintain IT systems or provide technical support?
• Do you manage...