This article will guide you through the key terms you might consider including in your data processing agreements (DPAs) if you're a data processor, helping you protect your interests, maintain compliance, and build trust with your customers. If you want to understand what type of clauses you are obliged to include in your DPA according to the GDPR, read our article on "Mandatory Terms for Data Processing Agreements (DPAs)".

Security Measures

Security measures are vital for protecting personal data from breaches and unauthorized access. And while having water-tight technical and organizational measures (TOMs) is key for compliance, it is important for data processors that the DPA does not allow the controller to unilaterally change these measures. Instead, any changes to security measures should ideally be made by mutual agreement. This can help ensure that the processor’s operational capabilities and resources are not unfairly burdened by sudden unilateral changes.

Subprocessors

Managing subprocessors is a critical aspect of data processing agreements and it's often subject to discussions when DPAs are negotiated. While not mandatory under Article 28 GDPR, it’s useful for the parties to specify in the DPA a reasonable notice period for engaging new subprocessors. A shorter notice period (both for notification for the engagement of a new subprocessor and for a respective objection by the data controller) can help avoid unnecessary delays in the processor's business operations

Notification of a Data Breach

Timely notification of data breaches is crucial, but it should also be reasonable for the processor. A reasonable timeframe, such as 72 hours, can ensure the processor has sufficient time to assess the breach and gather necessary information. It’s helpful if the information required in the event of a data breach does not impose stricter requirements than those under Article 33(3) GDPR. This approach can help the processor focus on resolving the breach effectively without being overburdened with excessive documentation.

Audits

Audit rights are necessary for verifying compliance, but they should be balanced and not overly burdensome for the processor. Limiting the scope of audit rights to specific areas relevant to data protection, such as technical and organizational measures, security practices, and compliance with the DPA and data protection laws, can be beneficial.

Additionally, it can be helpful if the DPA specifies a reasonable notice period for audits and allows the processor the right to object to the controller’s appointed auditor in certain reasonable circumstances. We know audit costs are often the subject of dispute in DPA negotiations, and it's in the processor's interest tp It’s also useful to ensure that the DPA specifies that the controller covers all audit costs.

Transfer of Data

When transferring personal data outside the European Economic Area (EEA), it’s beneficial for the DPA to avoid outright restrictions on such transfers if appropriate safeguards are in place. Ensuring flexibility in international data transfers allows processors to operate efficiently while still complying with GDPR requirements. Any restrictions should ideally be proportionate and justified based on specific circumstances. Most often, DPAs include references that incorporate the European Commission's SCCs directly and you should only complete the accompanying annexes.

Liability

Limiting liability to the extent permissible by data protection legislation is important for processors. For example, it can be helpful if the DPA restricts the processor's liability to direct losses caused by gross negligence or willful misconduct, and excludes indirect or consequential losses. Another measure in favor of the processor is ensuring that any liability terms agreed upon in the services agreement also apply to the DPA, including any applicable liability caps.

Conclusion

A well-crafted DPA can help processors avoid potential issues and pitfalls while also demonstrating a strong commitment to data protection. If you want to check whether a third-party DPA includes terms that might not be in your interest and receive recommendations in seconds, use CuratedAI's DPA review tool for a processor-friendly check.

If you're a data controller and want to understand better what types of contractual clauses you should include in your DPA to better protect your interests, read our blog post on "Key Terms for Controllers in Data Processing Agreements (DPAs)".