GDPR Supplier Data Processing Agreement Template - Version A
Introduction
The GDPR DPA is a legal contract between two different organizations that handle the personal data of the end-users: the data controller, who is the owner of the data, and the data processor, who acts as the data controller's proxy in terms of processing the data. The main goal of the DPA is to agree on the obligations, responsibilities, and division of labor between the two entities.
Since the DPA is a legal contract, it must be documented clearly and concisely.
The goal of this document is to present to both the data controller and data processor the required topics and areas of agreement which need to appear in the document. Once filled in, it will serve as a legal document binding both sides. Primarily, it concentrates on the requirements that the data processor has for the data controller.
Since the DPA speaks to the data processor's responsibility regarding data breaches, end-user responses, and safeguarding the data, it may be requested to be reviewed by an internal or external auditor.
Scope and Purpose
The DPA focuses on the GDPR statutes, guidelines, and obligations that the data controller has committed to and relays that the data processor is committed to the same. This is regardless of the location of the data processor and whether it employs additional data processors as a proxy workforce.
The agreement typically focuses on these key points -
1. Purpose: What the data processor will do with the data provided by the data controller.
2. Sub-processing: If the processor works with other organizations that perform any type of data processing on their behalf, these sub-processors must comply with all the GDPR statutes.
3. Legal: Focuses on the obligations of the data processor regarding keeping the personal data safe and secured.
4. Processing scope: Determines the duration that the data processor will store the personal data and any type of limitations to the data processing.
5. Security measures: Outlines the tools and processes that the data processor will use to safeguard the personal data.
6. Notifications: The requirements of the data processor in case of a data breach.
7. Audits: The agreement may include provisions allowing the data controller to audit the data processor's compliance with the GDPR requirements, ensuring accountability and transparency.
The Obligations of the Data Controller
The agreement should include the following fields -
1. The names and details of the data processing and controller organizations, along with the DPOs.
2. The purpose of the legal agreement.
3. The obligations of the data processor are divided into topics.
Other Obligations -
1. Legally binding scope of commitments between the two organizations in multiple areas.
2. Present the end-user's point of contact for each organisation.
3. Agreeing on the audit privileges from the data controller's side.
Examples of Processed Personal Data
Attributes -
1. Name
2. Phone number
3. Email address
4. IP address
5. ID number
6. Marital status
7. Number of children
8. Annual income
9. Political opinions
10. Religious beliefs
11. Sexual orientation
Term Definitions
What is a Data Controller?
An organization or person who determines the use of the collected personal data from the data subjects. The data controller owns the collected personal data, decides in which ways it will be processed, and bears the sole responsibility for safekeeping it.
What is personal data?
Any type of unique data which relates to an individual data subject. This can include such information as Name, phone number, Email address, ID number, health records, political opinions, IP address, etc.
What is the processing of personal data?
Any act that is performed on the collected personal data of all the organization's data subjects. This may include such actions as storing the data, analyzing it in any way to extract insights or deleting it once it is no longer required.
What is a data subject (also known as an end-user)?
Any person who created a unique username on the organizations' website, thus giving them the possibility of using that username to perform certain tasks and use features offered on the website.
Who is the DPO?
The Data Protection Officer is the main stakeholder of the organization for all aspects of GDPR compliance. They are responsible for making sure that the GDPR guidelines are adhered to.
What is a data breach?
Any intentional or unintentional security incident which involves the sharing of personal data with any unauthorized element. Sharing of personal data may include the viewing, copying, stealing, or altering of the personal data.
What is a DPA?
A Supplier Data Agreement is used between a data controller and a data processor under the GDPR. The DPA (version A) is designed to ensure that both the data controller and the data processor comply with the GDPR obligations and also to ensure that the rights of the data subjects, whose personal data is being processed is protected and secured.
Key Takeaways / Conclusions
1. The DPO (or their delegate) is responsible for ensuring that the DPA process is within the GDPR guidelines and maintaining it.
2. The DPA needs to be flexible and customizable so that it can be adapted to meet the specific needs of both the data controller and the data processor.
3. The DPA builds trust between the two parties that agreed to it, and customizing it should be a joint effort.
4. The main value of creating a DPA is to protect the rights of the data subjects.
5. The DPA should mention whether the data controller or the data processor is within or outside of the European Union's borders.
6. The DPA needs to call out what these data measures are and make sure that they are being used and followed.