202004.29

Off

Negotiating a Data Processing Agreement Under GDPR

Partner 03 The General Data Protection Regulation (GDPR) became effective on May 25, 2018. GDPR is the widest sweeping privacy regulation to hit the global market since the 1995 EU Data Protection Directive. GDPR is a regulation that requires businesses to protect the personal data and privacy of EU residents (EU data subjects). This new legislation introduces tough new fines for non-compliance and gives individuals significant rights regarding how their data may be used (“data processing”) by companies doing business involving EU data subjects. The regulation also affects US businesses through its extraterritorial jurisdiction and scope, and it requires organizations governed by the regulation to memorialize their data processing activities through a contract pursuant to GDPR Article 28. The fines for non-compliance can be as much as 20 million euros or 4 percent of annual revenues (whichever is higher). GDPR Article 28 states: “Processing by a processor shall be governed by a contract or other legal act…” But, what exactly does the contract need to include and what are some common negotiating points to be aware of when negotiating a data processing agreement?

What does the Data Processing Agreement (“DPA”) need to include? Below is a list of “must haves” in every GDPR compliant DPA.

Controller and processor contracts checklist

GDPR compliant contracts must include the following compulsory details: (Art. 28.3)

The subject matter and duration of the processing;
The nature and purpose of the processing;
The type of personal data and categories of data subject; and
The obligations and rights of the controller.

2. GDPR compliant contracts must include the following compulsory terms:

The processor must only act on the written instructions of the controller (unless required by law to act without such instructions); (Art. 28.3(a))
The processor must ensure that people processing the data are subject to a duty of confidence; (Art. 28.3(b))
The processor must take appropriate measures to ensure the security of processing; (Art. 28.3(c))
The processor must only engage a sub-processor with the prior consent of the data controller and a written contract; (Art. 28.3(d))
The processor must assist the data controller in providing subject access and allowing data subjects to exercise their rights under GDPR; (Art. 28.3(e))
The processor must assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments; (Art. 28.3(f))
The processor must delete or return all personal data to the controller as requested at the end of the contract; and (Art. 28.3(g))
The processor must submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing GDPR or other data protection law of the EU or a member state. (Art. 28.3(h))

Processors’ responsibilities and liabilities checklist

In addition to the Article 28.3 contractual obligations set out in the controller and processor contracts checklist, a processor has the following direct responsibilities under GDPR. The processor must:

Only act on the written instructions of the controller (Article 29);
Not use a sub-processor without the prior written authorization of the controller (Article 28.2);
Co-operate with supervisory authorities (such as the ICO) in accordance with Article 31;
Ensure the security of its processing in accordance with Article 32;
Keep records of its processing activities in accordance with Article 30.2;
Notify any personal data breaches to the controller in accordance with Article 33;
Employ a data protection officer if required in accordance with Article 37; and
Appoint (in writing) a representative within the European Union if required in accordance with Article 27.

2. A processor should also be aware that:

It may be subject to investigative and corrective powers of supervisory authorities; (Article 58)
If it fails to meet its obligations, it may be subject to an administrative fine; (Article 83)
If it fails to meet its GDPR obligations it may be subject to a penalty; (Article 84)
If it fails to meet its GDPR obligations it may have to pay compensation; (Article 82).

What are some common negotiating points to be aware of? Below is a list of “desirable positions” or points that are generally negotiated in a DPA.

As a matter of good practice, GDPR compliant contracts should include:

Responsibility – That nothing within the contract relieves the processor of its own direct responsibilities and liabilities under GDPR; and

2. Limitation of Liability – GDPR does not require that all risk sharing provisions be set-forth in the DPA. The best approach is to rely on a previously negotiated contract such as Master Services Agreement, and refer to it in the DPA. In other instances, structuring the limitation of liability directly in the DPA to either include “super caps” or categorize certain types of direct damages for security incidents and resulting costs that would be considered indirect damages if not properly carved out. Additionally, there are also defined liability requirements in any cross-border data transfers that need to be taken into account when negotiating this section (see below, Personal Data Transfers and the Standard Contractual Clauses).

3. Indemnity – Processors need to indemnify for any processing that it does that causes harm to any third party while it is engaged or thereafter if it maintains or processes any data of the controller.

4. Breach Notification – Processors must notify the controller under GDPR “without undue delay after becoming aware of a personal data breach”. (Article 33(2)). The controller must report a data breach to the applicable data protection authority within 72 hours after having become aware of it. Additionally, GDPR Art. 33(3) contains a list of breach notification requirements that controller must include in its notification to the applicable data protection authority:

(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
(c) describe the likely consequences of the personal data breach;
(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

5. Insurance – In addition to any other insurance required under any previous agreements between the negotiating parties, the DPA should require the Processor (or Controller) to maintain appropriate levels of insurance. Such insurance should at least include coverage for privacy and cybersecurity liability (including costs arising from data destruction, hacking or intentional breaches, crisis management activity related to data breaches, and legal claims for security breach, privacy violations, and notification costs). Actual levels of coverage amounts are variable based on the amount of the total contract amounts and data being processed.

6. Personal Data Transfers – The Processor shall not Transfer any Personal Data (and shall not permit its Sub-processors to Transfer any Personal Data) without the prior consent of Controller. The Processor understands that Controller must approve and document that adequate protection for the Personal Data will exist after the Transfer, using contracts that provide sufficient guarantees (such as standard contractual clauses) unless another legal basis for the Transfer exists. There are several ways to structure this, and referring to the GDPR regulation itself is key.

7. Audits – All DPA’s should have the right to receive information related to compliance (SOC 1, SOC 2, or any other audit report). In some instances, the right to an onsite audit to show compliance will be necessary for smaller processors. In other instances, for larger processor (or bigger vendors) onsite audits will not be allowed. However, the right to an onsite audit related to an applicable data protection authority’s inquire is always necessary and should be outlined in the agreement.

8. Subprocessors – GDPR 28(2) requires the processor not to engage in subprocessing without the controller’s permission, and GDPR 28(3)(a) requires the processor to abide by the controller’s instructions when processing. Many DPA’s are written where the processor has the ability to name a subprocessor, and the controller has the right to object, but the controller can only object for “a justifiable / legal reason”. GDPR does not require a reason to be given to the processor. However, a good way to deal with this section is the ability to object, and for the processor to provide another possible subprocessor. If no choice can be decided, then the controller should reserve the right to terminate the DPA.

Hiring experienced legal counsel can help you navigate GDPR’s requirements in order to understand all the risks involved when either drafting or negotiating a GDPR compliant Data Processing Agreement. Fines for noncompliance can reach millions of dollars. Choose a law firm with expertise in GDPR and technology transactions.

5on Google,Feb 10, 2024

Salma

good

5on BirdEye,May 01, 2023

Kimberly

You made the entire process so easy! Having a lawyer with Managed Service experience and really knowing our business has been a game changer! I have nothing but great things to say about you!

5on Google,Apr 21, 2023

Mari

5on BirdEye,Apr 21, 2023

Julie and Kelli have been very helpful from beginning to end of the process.

5on BirdEye,Mar 22, 2023

George

Very professional team. I highly recommend them to any MSP.

5on Google,Mar 06, 2023

J&A

5on BirdEye,Mar 01, 2023

Steve

So far, the process has been very seamless. Some minor issues with access to the tool/portal but using incognito mode seems to get us around most of that. The team has been awesome.

5on BirdEye,Feb 07, 2023

Very professional project plan.

5on Google,Nov 19, 2022

Navid

5on Google,Aug 09, 2022

Jureni

5on Google,Jul 29, 2022

Mauricio

Scott & Scott LLP's team is very professional and efficient. Their knowledge and experience are unparalleled when it comes to MTSP/software law. Be sure to use them!

5on Google,Jul 25, 2022

Val

Rob is one of the rare few that successfully operates where the technology industry, business and entrepreneurship, and the law meet, making him an excellent resource for any company working at this unique intersection. As important, he wastes no time or words identifying the root cause of an issue and providing guidance that, without asking, takes the perspective of business, technology, and the law into account before ever being offered.

5on Google,Jan 09, 2022

Brent

Excellent legal advice.

5on Google,Jan 08, 2022

David

5on Google,Dec 29, 2021

Michael

Have used Scott & Scott on a number of different issues over the past few years. They are simply excellent. You would not go wrong using them for your legal needs.