A key component of GDPR compliance is having a robust Data Processing Agreement (DPA). This article will explore the mandatory terms for DPAs as specified by the GDPR and why they are essential for your business. A Data Processing Agreement (DPA) is a legally binding document that outlines the relationship between a data controller and a data processor. You need to sign a DPA every time you entrust the processing of personal data to a third party, or you process personal data for another company. DPAs specify the terms under which personal data is processed, ensuring that both parties adhere to GDPR requirements.

Mandatory Terms for DPAs

Articles 28 through 36 of the GDPR set out the main requirements and clauses that must be included in any data processing agreement for it to be compliant with EU data protection law. Here are the essential elements that must be included in DPAs according to Article 28 GDPR:

1. Details About Processing (Article 28(3)):

   • Purpose of Processing: This defines why the data is being processed. It's important to be clear and specific to ensure compliance.
     Example: "The purpose of the data processing is to manage customer relationships and improve service delivery."

   • Nature of Processing: This describes the type of processing activities being carried out. It should include specific operations like collecting, storing, or transferring data.
     Example: "The nature of processing includes collecting customer feedback, storing customer data, and analyzing purchase history."

   • Type of Personal Data: Specify the types of personal data being processed. This can range from basic identification information to sensitive data like health records.
     Example: first and last name, email addresses, phone numbers, IP address, purchase history

   • Categories of Data Subjects: Define the groups of individuals whose data is being processed. This helps clarify whose data is at stake.
     Example: customers, employees, suppliers

   • Duration of Processing: State how long the data will be processed. This could be tied to the length of the service agreement or specific legal requirements.
     Example: "The duration of the processing is for the term of the service agreement, or until the customer requests data deletion."

2. Processor Obligations:

   • Documented Instructions (Article 28(3)(a)): The processor must act only on documented instructions from the controller, including data transfers.

   • Notification of Infringements (Article 28(3)): The processor must inform the controller if any instructions infringe GDPR or other data protection laws.

3. Confidentiality (Article 28(3)(b)):

   • Ensure that persons authorized to process data have committed to confidentiality or are under statutory obligations of confidentiality.

4. Security Measures (Article 28(3)(c )):

   • The processor must take all measures required under Article 32 GDPR, including encryption, ensuring ongoing confidentiality, and regular security assessments.

5. Sub-Processors (Article 28(2), 28(4)):

   • Authorization: The processor may not engage another processor without the controller’s prior written authorization.

   • Same Obligations: Sub-processors must be bound by the same data protection obligations.

   • Liability: The processor remains fully liable for any sub-processor's failure to fulfill data protection obligations.

6. Notification of Data Breach (Article 28(3)(f)):

   • The processor must assist the controller in notifying supervisory authorities and data subjects of data breaches as required by Articles 33 and 34 GDPR.

7. Assistance to the Controller (Article 28(3)(e), 28(3)(f)):

   • Data Subject Requests: Assist in responding to data subject rights requests.

   • Security Compliance: Assist in ensuring compliance with Article 32 GDPR on security.

   • DPIAs: Help with Data Protection Impact Assessments (DPIAs) as required by Article 35 GDPR.

   • Prior Consultation: Assist with prior consultations with supervisory authorities as needed under Article 36 GDPR.

8. Audit and Compliance (Article 28(3)(h)):

   • Information Availability: Provide all information necessary to demonstrate compliance.

   • Audit Rights: Allow for and contribute to audits and inspections by the controller or an appointed auditor.

9. Erasure and Return of Data (Article 28(3)(g)):

   • At the end of the processing, the processor must delete or return all personal data to the controller and delete existing copies, unless EU or member state law requires storage.

10. Transfer of Data (Article 28(3)(a), Chapter V GDPR):

    • Documented Instructions: The processor may transfer personal data to third countries only on documented instructions from the controller.

    • Appropriate Safeguards: Ensure that appropriate safeguards are in place for international data transfers.

If you need to draft a DPA but don't already have a template, it's a good idea to use the Standard Contractual Clauses for controllers and processors approved by the European Commission. While the standard clauses might not include any specifics tailored to your data processing operation, they include all of the Article 28 GDPR mandatory clauses and can be directly relied upon in your commercial activity after completing the annexes.

If you're a data controller and want to understand better what types of contractual clauses you should include in your DPA to better protect your interests, apart from the mandatory Article 28 ones, read our blog post on "Key Terms for Controllers in Data Processing Agreements (DPAs)". If you're a data processor, we also have you covered in our blog post "Key Terms for Processors in Data Processing Agreements (DPAs)".

Conclusion

For small businesses, understanding and implementing the mandatory terms of a Data Processing Agreement (DPA) is crucial for GDPR compliance. A well-crafted DPA not only helps avoid legal pitfalls but also ensures that personal data is handled securely and responsibly. By adhering to these mandatory terms, your business can build trust with customers and partners, demonstrating a strong commitment to data protection.

You can check in seconds whether your internal templates or any DPAs provided by third parties comply with the mandatory GDPR requirements by using CuratedAI's DPA review.