Data Processing Agreements – Obligations of the Data Processor – Article 28 of the GDPR

Who Is a Data Processor?

The GDPR divides companies who touch personal data into two groups – data controllers and data processors. Data controllers, for example online retailers, decide what personal data will be collected from consumers – data like names, email addresses, or mobile phone numbers. Often, a data controller will engage third parties, like an e-commerce platform or email management program, to store the personal data or to process payment information or send order status information to the consumers. Those third parties – anyone other than the data controller who touches an end consumer’s personal information for any reason authorized by the data controller – are data processors.  If a company processes the information of EU consumers on behalf of a data controller, the GDPR applies, regardless of where the data controller or the data processor is located.           

What is a Data Processing Agreement?

Article 28(3) of the GDPR says that “Processing . . . shall be governed by a contract . . . that is binding on the processor.” This is the basis in law for the Data Processing Agreement – the agreement between the controller and the processor that sets out how the processor is to process the personal data of the controller’s customers.  It must “set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”  It also sets out a number of obligations for the data processor that are all set out in Article 28.

Obligations of a Data Processor

 Article 28(3)(a) – (h) lays out 8 obligations of a data processor with respect to the data it processes on behalf of a controller. The controller must require in the Data Protection Agreement that the processor:

(a) processes the personal data only on documented instructions from the controller;
(b) ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) takes all measures required pursuant to Article 32;
(d) ensures that any subprocessors abide by the same requirements and gets written consent from the controller before engaging any subprocessors
(e) utilizes appropriate technical and organizational measures in order to protect the rights of the data subject
(f) assists the controller in ensuring security and obligations to report data breaches
(g) follows controller’s instructions to delete or return all personal data at the end of the engagement; and
(h) submits to audits by the controller and makes all records available to controller to ensure compliance with all requirements

Are Data Protection Agreements expensive?

Data Protection Agreements sound very complicated. But mostly they really aren’t. The European Commission (sort of like a Federal executive agency that makes the rules for how to follow U.S. laws) has already written the standard clauses that are being used in the majority of controller-processor agreements.  This means that since the obligations are proscribed by law, there isn’t a ton of negotiation to be done.

Contact us when you need help with a Data Protection Agreement. We’ll make sure it’s done right.