GDPR Supplier Data Processing Agreement Template - Version B
Introduction
The GDPR DPA is a legal contract between two different organizations that handle the personal data of the data subjects: the data controller, who is the owner of the data, and the data processor, who acts as the data controller’s proxy in terms of processing the data. The main goal of the DPA is to agree on the obligations, responsibilities, and division of labor between the two entities.
Since the DPA is a legal contract, it must be documented in clear, everyday language, and it may be requested to be reviewed by an internal or external auditor.
The Differences Between Versions A and B
The main difference is that version B is more robust and comprehensive, thus addressing more GDPR statutes.
Other differences are -
1. Version B requires the data processor to only use the personal data of the data subjects for the initial reason it was intended for.
2. Version B demands that the personal data be disposed of once it has served its original purpose.
Scope and Purpose
The signed document outlines for both parties what the GDPR statutes, guidelines, and obligations they must adhere to. The location of both parties that have agreed to the DPA doesn’t have any bearing on their responsibilities. The DPA applies to all additional data processors, which act as a proxy workforce.
The agreement typically focuses on these key points -
1. Purpose: How the data processor will process the data provided by the data controller.
2. Sub-processing: If the processor employs third-party organizations who act as their proxy in the processing of any of the personal data, these sub-processors must comply with all the GDPR statutes.
3. Legal: Focuses on the obligations of the data processor regarding keeping the personal data safe and secured.
4. Processing scope: Determines the duration that the personal data will be stored by the data processor and any type of limitations to the data processing.
5. Security measures: Outlines the tools and processes that the data processor will put into place to safeguard the personal data.
6. Notifications: The requirements of the data processor in case of a data breach.
The Obligations of the Data Controller
The agreement should include the following fields -
1. The basic details of the data processing and data controller organizations, along with the DPOs of each.
2. The goal of the DPA.
3. The obligations of all the parties who agree to the DPA are divided into topics.
Other Obligations -
1. Legally binding scope of commitments between the two organizations in multiple areas.
2. Present the point of contact that the data subjects may reach out to in each organization.
3. Agreeing on the audit privileges from the data controllers’ side.
Examples of Processed Personal Data
Attributes -
1. Name
2. Email address
3. IP address
4. Personal ID number
5. Number of children
6. Monthly income
7. Political affiliations
8. Religious faiths
9. Sexual orientation
Term Definitions
What is a Data Controller?
An organization or person who determines the use of the collected personal data from the data subjects. The data controller owns the collected personal data, decides in which ways it will be processed, and bears the sole responsibility for safekeeping it.
What is personal data?
Any type of unique data which relates to an individual data subject. This can include such information as Name, phone number, Email address, ID number, health records, political opinions, IP address, etc.
What is the processing of personal data?
Any act that is performed on the collected personal data of all the organizations’ data subjects. This may include such actions as storing the data, analyzing it in any way to extract insights, or deleting it once it is no longer required.
What is a data subject (also known as an end-user)?
Any person who created a unique username on the organization’s website, thus giving them the possibility of using that username to perform certain tasks and use features offered on the website.
Who is the DPO?
The Data Protection Officer is the main stakeholder of the organization for all aspects of GDPR compliance. They are responsible for making sure that the GDPR guidelines are adhered to.
What is a data breach?
Any intentional or unintentional security incident which involves the sharing of personal data with any unauthorized element. Sharing of personal data may include the viewing, copying, stealing, or altering of the personal data.
What is a DPA?
A Supplier Data Agreement is used between a data controller and a data processor under the GDPR. The DPA (version A) is designed to ensure that both the data controller and the data processor comply with the GDPR obligations and also to ensure that the rights of the data subjects whose personal data is being processed are protected and secured.
Key Takeaways / Conclusions
1. The DPO (or their delegate) is responsible for ensuring that the DPA process is within the GDPR guidelines and maintaining it.
2. The DPA needs to be flexible and customizable so that it can be adapted to meet the specific needs of both the data controller and the data processor.
3. The DPA builds trust between the two parties that agreed to it, and customizing it should be a joint effort.
4. The main value of creating a DPA is to protect the rights of the data subjects.
5. The DPA should mention whether the data controller or the data processor is within or outside of the European Union’s borders.
6. The DPA needs to call out what these data measures are and make sure that they are being used and followed.
