This article will guide you through the key terms you might consider including in your data processing agreements (DPAs) if you're a data controller, helping you protect your data, maintain compliance, and build trust with your customers. If you want to understand what type of clauses you are obliged to include in your DPA according to the GDPR, read our article on "Mandatory Terms for Data Processing Agreements (DPAs)".

Confidentiality

Confidentiality is a cornerstone of any DPA. It's important to include provisions for regularly reviewing who has access to personal data. Regular reviews help maintain strict control, ensuring only authorized personnel can access sensitive information. This practice helps protect the integrity and confidentiality of the data, reducing the risk of unauthorized access. By setting a regular review period, businesses can ensure that access permissions are up-to-date and aligned with the current roles and responsibilities of their staff.

Security Measures

Security measures are vital for protecting personal data from breaches and unauthorized access. A DPA should detail the technical and organizational measures (TOMs) the processor will implement. Usually, the security measures are described in a separate annex to the DPA. If you have specific requirements as to the TOMs, make sure to communicate them clearly to the processor and ensure that they are properly implemented. These measures should be tailored to the specific risks associated with the data processing activities. Examples of TOMs include encryption, pseudonymization, regular security audits, and access controls.

Additionally, regular reviews of these security measures can help you adapt to evolving threats and maintain ongoing compliance. It's beneficial to have a process for assessing and updating these measures regularly to address new vulnerabilities and ensure robust data protection.

Subprocessors

The use of subprocessors can introduce additional risks. It’s important for the DPA to specify a notice period before new subprocessors are engaged, allowing time for evaluation and objection if necessary. This notice period allows the controller to assess the subprocessor's compliance with data protection standards. Controllers should have the right to terminate the agreement if they object to a new subprocessor.

In addition, including a comprehensive list of all current subprocessors helps maintain control over who processes the data and ensures transparency. This is usually included as an annex to the DPA, or an online link provided by the processor where you can see their full list of active sub-processors. Regular updates to this list and clear communication about any changes are essential to safeguard your interest as a data controller.

Notification of a Data Breach

Timely notification of data breaches is crucial. The DPA should specify that the processor must promptly notify the controller of any data breach. This ensures that the controller can act quickly to address the breach and protect the affected data subjects. Clearly outlining the information required by the processor in the event of a breach helps ensure effective communication and response. Key details you might want to be informed about as a controller include the nature of the breach, the data affected, the potential impact, and the measures taken to address the breach. This detailed approach helps you in managing the breach effectively and minimizing potential harm.

Assistance to the Controller

Controllers often rely on processors to help comply with data subject rights requests and other obligations. That's why the DPA should include a clause requiring the processor to notify the controller promptly upon receiving any data subject rights request (ideally specifying the notice period). This ensures timely responses to requests such as access, rectification, or deletion of data, maintaining compliance and avoiding potential penalties. The processor should also assist in providing any information or actions required to fulfill these requests, ensuring smooth and efficient handling of data subject interactions.

Audits

Audit rights are essential for verifying compliance and audit clauses are often the most disputed ones in data processing agreements. If you're a controller, you should make sure that the DPA allows for comprehensive audits covering all aspects of the processor's data processing activities. It’s important to ensure the DPA does not impose unreasonable limitations on your audit rights, such as restricted access to facilities or documentation. Additionally, you might want to ensure that the costs of audits, particularly those arising from non-compliance, are borne by the processor. Having the right to perform regular audits and getting transparent reporting can help identify and address potential issues early, fostering a culture of continuous improvement in data protection practices.

Transfer of Data

When transferring personal data outside the European Economic Area (EEA), it’s important to ensure adequate safeguards are in place. The DPA should specify whether any international data transfers are envisioned and include appropriate safeguards, such as Standard Contractual Clauses (SCCs). Most often, DPAs include references that incorporate the European Commission's SCCs directly and have all the mandatory annexes completed accompanying the document.

In any case, controllers should ensure that any international transfers comply with GDPR requirements and that the data remains protected under equivalent standards. This is particularly important when dealing with countries that do not have an adequacy decision from the European Commission.

Conclusion

A well-crafted DPA not only helps controllers avoid potential issues but also demonstrates a strong commitment to data protection, building trust with customers and partners. If you want to check whether a third-party DPA includes terms that might not be in your interest and receive recommendations in seconds, use CuratedAI's DPA review tool for a controller-friendly check. Try it now!

If you're a data processor and want to understand better what types of contractual clauses you should include in your DPA to better protect your interests, read our blog post on "Key Terms for Processors in Data Processing Agreements (DPAs)".