Data processing agreements: your 2023 summary guide

Data processing agreement

On May 25, 2018, GDPR came, saw, and changed the way we think about, collect and use people's data forever. Hailed as the strictest privacy standard that has ever existed, the European Union’s General Data Protection Regulation (the GDPR) has since given millions of EU residents more control over the data they share and become a catalyst for a global wave of data protection regulations, most notably the California Consumer Privacy Act in the US.

Over the past four years, the regulation has also forced organizations who failed to play by the rules to pay fines to the tune of more than €2.1 billion.

In 2022, for example, Volkswagen was left with a bill of €1,1 million issued by the Lower Saxony data protection authority in connection to its driving assistance system test vehicles. The data protection watchdog uncovered multiple GDPR infringements, including the lack of a data processing agreement with the entity that carried out the test drives, which violates Article 28 of the GDPR.

Having your data processing agreements in place is clearly no box-ticking exercise. But what is a DPA, and who needs to sign one and when? In this article, we’ll guide you through the whats and hows of data processing agreements or DPAs, from what the GDPR requires to how you can initiate a DPA-signing process with Tresorit.

Personal data processing: definition and examples

Under the GDPR, processing is defined in rather broad terms, which covers both manual and automated means and a variety of activities performed on data, from data collection to data transfer. These include but are not limited to recording, organization, storage, alteration, retrieval, consultation, use, disclosure, dissemination, combination, restriction, erasure, and destruction of personal data.

Data processing happens, for example, when someone’s image is recorded on a department store’s CCTV system, an electricity supplier stores customers’ personal data to provide better service, a magazine publisher sends out a promotional offer to subscribers’ email address or a company’s HR department shreds an ex-staffer’s personnel file following the end of their employment.

What is a DPA? Meaning and implications under GDPR

Every organization relies on third-party service providers to process personal data in some shape or form, from email service through cloud storage to payment solutions providers. Under the GDPR, they must have a data processing agreement (sometimes referred to as data protection agreement or data privacy agreement), in place with all of these entities, called data processors (more on that later).

A DPA is a legally binding document between a controller and a processor that sets forth the terms of data processing, such as duration, scope, and purpose. It also describes the relationship between the two parties as well as their rights and obligations in terms of safeguarding personal data.

Why is a DPA important?

The GDPR requires data controllers to take measures to ensure the protection of the personal data they handle. If data controllers decide to outsource certain data processing activities, they must be able to demonstrate that their suppliers and sub-processors also provide sufficient guarantees to protect the data and act in a GDPR-compliant manner.

Data processing agreements are key to GDPR compliance as they define what data processors should, can and cannot do with personal data in terms of how it’s stored, accessed, used, and kept safe. In other words, DPAs demonstrate that data processors are able and willing to guarantee sufficient levels of protection for the data they’re trusted with.

When do you need a data processing agreement?

Every time you as a data controller decide to outsource certain processing activities of personal data to a third-party data processor, as per the GDPR, a DPA must be put in place between you and the processor. As we’ve pointed out earlier, it’s hard to imagine a business today that doesn’t need one – or rather several – of such contracts to cover data processing activities outsourced to web hosting, cloud storage, customer relationship management, and a roster of other service providers.

The who’s who of GDPR: what is a data controller – and what is a data processor?

In the simplest of terms, a data controller is whoever determines the purpose and means of data processing, while the processor is the one doing the processing for the controller in line with the controller’s instructions. In more specific GDPR terms, a controller is the natural or legal person, public authority, agency, or other body which, on its own or in collaboration with others, determines the purposes and means of personal data processing. A processor is the natural or legal person, public authority, agency, or other body which processes the personal data on behalf of the controller.

In doing so, data processors serve the controller’s interests rather than their own. They might make their own decisions regarding some aspects of implementation, such as technical aspects, but they can only process personal data as per the controller’s instructions unless otherwise required by EU or Member State law, the European Data Protection Board advises. Keep in mind that if a processor makes decisions on the purpose and means of processing without controller instructions, it will qualify as a controller in respect of the processing activity in question – and will assume the liability of a controller.

Data processing agreement checklist: what to include in a DPA?

Make sure that your data processing agreement covers at least the following: the purpose and duration of data processing, the categories of data to be processed along with the categories of data subjects, the rights and obligations of the data controller, the confidentiality and security protocols the data processor should follow to protect personal data as well as provisions for sub-processors, if any.

According to Article 28, Section 3 of the GDPR, the DPA should stipulate that the processor, among other things, must:

● process the personal data only as instructed by the controller, including when personal data is moved to a third country or an international organization,

● ensure that the people authorized to process the personal data have committed themselves to confidentiality,

● take all technical and organizational measures to ensure the level of security fits the risk profile of the processed data,

● observe the conditions of engaging another processor set forth in the GDPR, such as obtaining written authorization from the controller,

● help the controller to meet its obligations in responding to requests for exercising the data subject’s rights under the GDPR,

● delete or return all the personal data to the controller after the end of the provision of processing services at the controller’s request,

● make available to the controller all information necessary to show compliance with the GDPR, including during audits and inspections.

What to watch out for when signing a DPA: key considerations

The most important thing to ask yourself before entering into a DPA is whether the processor can provide sufficient guarantees for the protection of the data you’re about to hand over to them. This is vital because under the GDPR, if there’s a data breach, even if it’s on the side of the data processor, you, the data controller, might be held responsible. Look for processors with the right safeguards to minimize the risk and consequences of a potential data breach and uphold the protection of personal data.

Just as crucially, a data processing agreement should specify in no uncertain terms that the data processor must not process your data for any other purpose than the purpose of outsourcing as laid down in the DPA. Check regularly if data processors follow the terms of your DPA when processing the data you share with them or use any of the data for their own purposes. Also make sure that the scope of the agreement is not broader than the underlying legal basis you have for processing data subjects’ information.

Do processors have to sign a DPA with their sub-processors?

Yes. As we explained above, even if you’re a data processor and not a controller, whenever you decide to outsource any part of your data processing needs, you have to enter into a DPA with your sub-processor to ensure they comply with the rules of the GDPR. You must also impose the same obligations on your sub-processor as those you’ve undertaken against the controller. If a sub-processor fails to fulfill any of its data protection obligations under the GDPR, the original data processor will remain liable to the controller for the sub-processor’s non-compliance and its consequences.

GDPR fines: the very real cost of non-compliance

For better or worse, the GDPR does not specify penalties for not having the right DPAs in place. That said, infringements can cost you anywhere between a reprimand and a temporary or definitive ban on data processing, plus a fine of up to €10 million or 2% of your total annual worldwide turnover. Data protection authorities will take into account the nature, gravity, and duration of the GDPR violation, including whether it resulted from intentional or negligent behavior and what action was taken to mitigate the damage caused to data subjects.

What kind of personal data does Tresorit process on your behalf?

As we use client-side encryption, it’s impossible for us to access our users’ encrypted content and leverage the encrypted information to identify any individual. This means that under the GDPR, such content doesn’t qualify as personal data from our perspective.

However, in providing our services, we process certain non-encrypted data, including personal data related to the users managed by admins and co-admins in a subscription (such as the users’ full name, email address, file activity logs and log-in attempts). With respect to this data, Tresorit acts as a data processor.

We have a DPA in place to cover the processing activity we perform in regard to the limited amount of personal data we have on our customers. Please note that none of the data stored in our customers’ files falls within the scope of this agreement.

Who should execute a DPA with Tresorit?

Any Tresorit customer who has a business subscription (Tresorit Solo, Small Business, Business, or Enterprise) with us and is subject to the GDPR. For more information and clear, comprehensive advice on whether or not the GDPR applies to you, please seek legal counsel.

How to execute a DPA with Tresorit?

You need to be a Subscription Owner to be able to access billing details and initiate the DPA-signing process. Refer to our step-by-step guide to complete the process.

If you’re looking for a solution to store, share, and sign documents with the highest-grade security in the cloud and makes signing a DPA easy, try Tresorit today.

  • Petra Kovacsics

    Petra Kovacsics

    Petra Kovacsics is a Data & Technology Lawyer specialized in data protection, cloud computing and IP protection.

    View more articles