Negotiating a Data Processing Agreement Under GDPR

Partner 03The General Data Protection Regulation (GDPR) became effective on May 25, 2018. GDPR is the widest sweeping privacy regulation to hit the global market since the 1995 EU Data Protection Directive. GDPR is a regulation that requires businesses to protect the personal data and privacy of EU residents (EU data subjects). This new legislation introduces tough new fines for non-compliance and gives individuals significant rights regarding how their data may be used (“data processing”) by companies doing business involving EU data subjects. The regulation also affects US businesses through its extraterritorial jurisdiction and scope, and it requires organizations governed by the regulation to memorialize their data processing activities through a contract pursuant to GDPR Article 28. The fines for non-compliance can be as much as 20 million euros or 4 percent of annual revenues (whichever is higher). GDPR Article 28 states: “Processing by a processor shall be governed by a contract or other legal act…” But, what exactly does the contract need to include and what are some common negotiating points to be aware of when negotiating a data processing agreement?

What does the Data Processing Agreement (“DPA”) need to include? Below is a list of “must haves” in every GDPR compliant DPA.

Controller and processor contracts checklist

  1. GDPR compliant contracts must include the following compulsory details: (Art. 28.3)
  • The subject matter and duration of the processing;
  • The nature and purpose of the processing;
  • The type of personal data and categories of data subject; and
  • The obligations and rights of the controller.

2. GDPR compliant contracts must include the following compulsory terms:

  • The processor must only act on the written instructions of the controller (unless required by law to act without such instructions); (Art. 28.3(a))
  • The processor must ensure that people processing the data are subject to a duty of confidence; (Art. 28.3(b))
  • The processor must take appropriate measures to ensure the security of processing; (Art. 28.3(c))
  • The processor must only engage a sub-processor with the prior consent of the data controller and a written contract; (Art. 28.3(d))
  • The processor must assist the data controller in providing subject access and allowing data subjects to exercise their rights under GDPR; (Art. 28.3(e))
  • The processor must assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments; (Art. 28.3(f))
  • The processor must delete or return all personal data to the controller as requested at the end of the contract; and (Art. 28.3(g))
  • The processor must submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing GDPR or other data protection law of the EU or a member state. (Art. 28.3(h))

Processors’ responsibilities and liabilities checklist

  1. In addition to the Article 28.3 contractual obligations set out in the controller and processor contracts checklist, a processor has the following direct responsibilities under GDPR. The processor must:
  • Only act on the written instructions of the controller (Article 29);
  • Not use a sub-processor without the prior written authorization of the controller (Article 28.2);
  • Co-operate with supervisory authorities (such as the ICO) in accordance with Article 31;
  • Ensure the security of its processing in accordance with Article 32;
  • Keep records of its processing activities in accordance with Article 30.2;
  • Notify any personal data breaches to the controller in accordance with Article 33;
  • Employ a data protection officer if required in accordance with Article 37; and
  • Appoint (in writing) a representative within the European Union if required in accordance with Article 27.

2. A processor should also be aware that:

  • It may be subject to investigative and corrective powers of supervisory authorities; (Article 58)
  • If it fails to meet its obligations, it may be subject to an administrative fine; (Article 83)
  • If it fails to meet its GDPR obligations it may be subject to a penalty; (Article 84)
  • If it fails to meet its GDPR obligations it may have to pay compensation; (Article 82).

What are some common negotiating points to be aware of? Below is a list of “desirable positions” or points that are generally negotiated in a DPA.

As a matter of good practice, GDPR compliant contracts should include:

  1. Responsibility – That nothing within the contract relieves the processor of its own direct responsibilities and liabilities under GDPR; and

2. Limitation of Liability – GDPR does not require that all risk sharing provisions be set-forth in the DPA.  The best approach is to rely on a previously negotiated contract such as Master Services Agreement, and refer to it in the DPA. In other instances, structuring the limitation of liability directly in the DPA to either include “super caps” or categorize certain types of direct damages for security incidents and resulting costs that would be considered indirect damages if not properly carved out. Additionally, there are also defined liability requirements in any cross-border data transfers that need to be taken into account when negotiating this section (see below, Personal Data Transfers and the Standard Contractual Clauses).

3. Indemnity – Processors need to indemnify for any processing that it does that causes harm to any third party while it is engaged or thereafter if it maintains or processes any data of the controller.

4. Breach Notification – Processors must notify the controller under GDPR “without undue delay after becoming aware of a personal data breach”. (Article 33(2)). The controller must report a data breach to the applicable data protection authority within 72 hours after having become aware of it. Additionally, GDPR Art. 33(3) contains a list of breach notification requirements that controller must include in its notification to the applicable data protection authority:

  • (a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • (b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • (c) describe the likely consequences of the personal data breach;
  • (d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

5. Insurance – In addition to any other insurance required under any previous agreements between the negotiating parties, the DPA should require the Processor (or Controller) to maintain appropriate levels of insurance. Such insurance should at least include coverage for privacy and cybersecurity liability (including costs arising from data destruction, hacking or intentional breaches, crisis management activity related to data breaches, and legal claims for security breach, privacy violations, and notification costs). Actual levels of coverage amounts are variable based on the amount of the total contract amounts and data being processed.

6. Personal Data Transfers – The Processor shall not Transfer any Personal Data (and shall not permit its Sub-processors to Transfer any Personal Data) without the prior consent of Controller. The Processor understands that Controller must approve and document that adequate protection for the Personal Data will exist after the Transfer, using contracts that provide sufficient guarantees (such as standard contractual clauses) unless another legal basis for the Transfer exists. There are several ways to structure this, and referring to the GDPR regulation itself is key.

7. Audits – All DPA’s should have the right to receive information related to compliance (SOC 1, SOC 2, or any other audit report). In some instances, the right to an onsite audit to show compliance will be necessary for smaller processors. In other instances, for larger processor (or bigger vendors) onsite audits will not be allowed. However, the right to an onsite audit related to an applicable data protection authority’s inquire is always necessary and should be outlined in the agreement.

8. Subprocessors – GDPR 28(2) requires the processor not to engage in subprocessing without the controller’s permission, and GDPR 28(3)(a) requires the processor to abide by the controller’s instructions when processing. Many DPA’s are written where the processor has the ability to name a subprocessor, and the controller has the right to object, but the controller can only object for “a justifiable / legal reason”. GDPR does not require a reason to be given to the processor. However, a good way to deal with this section is the ability to object, and for the processor to provide another possible subprocessor. If no choice can be decided, then the controller should reserve the right to terminate the DPA.

Hiring experienced legal counsel can help you navigate GDPR’s requirements in order to understand all the risks involved when either drafting or negotiating a GDPR compliant Data Processing Agreement. Fines for noncompliance can reach millions of dollars. Choose a law firm with expertise in GDPR and technology transactions.