One of the key elements data controllers and data processors need to put in place under the GDPR is an effective data processing agreement or “DPA” in short.Over the years, we have seen most public administrations, businesses and organisations over-relying on templates, without considering the specifics of the processing activities the DPA tends to cover.

Here are 10 elements of a data processing agreement that must be considered:

1. Details of the parties involved: The data processor and the controller should both be identified in the agreement. It should also list any sub-processors or third parties who may access or use the data at any point during its processing.

2. Specify the duration of the agreement: A clear timeline should be outlined as to when the agreement will come into effect, when it will expire, and under what conditions it may be amended or terminated. Now, most DPAsare not stand-alone documents, but have been entered into as part of an overarching contract. Therefore, it is important to ensure that the interplay with such “master agreement” is correctly configured in the DPA.

3. Clarify the purpose of the data processing: The specific purposes for which the data will be used should be outlined in detail. Although these purposes can be outlined in the overarching agreement, it is relevant to reiterate on these. Also, it is recommended to set out a process when changes are made to these purposes, as this could have an impact on not only the DPA’s compliance with the GDPR, but also the processing activities the parties are engaged in.

4. State what typesof personal data will be processed: A description of the exact data being processed should be included so that both parties are fully aware of its scope. Since the parties will likely both have a register of dataprocessing activities in place (as required by Article 30 of the GDPR), it is important to ensure that the contents of the DPA are aligned with the processing activities recorded in such register.

5. Specify security measures to protect the personal data: Appropriate technical and organizational measures should be outlined to ensure the secure storage and protection of the personal data from unauthorized access or loss. Comprehensive DPAs provide for a list of the measures undertaken by both parties and contain a process to ensure that these measures are kept up-to-date throughout the term of the DPA and the overarching agreement.

6. Assign responsibility for compliance with GDPR requirements: The agreement should clearly assign responsibilities among all parties involved in the dataprocessing. As long-term contractual business relationships tend to change over time, the DPA and the parties’ performance thereof should be reviewed on a regular basis. This is the case when data processing activities change or the scope of the DPA or the overarching agreement is modified. If a party has appointed a DPO, it must be clear that he or she has an important role to play in this respect.

7. Address international transfers of personal data: If the data is to be transferred internationally (and in particular outside of the EU), the DPA must outline extra measures to remain compliant with the GDPR. The European Commission has defined so-called “Standard ContractualClauses” or SCCs, which must be entered into when a party exports personal data to a country that does not protect such data in a way similar to the GDPR.

8. Set out rules for subcontracting and sub-processing: The contract should include provisions that require all third parties working with or on behalf of the processor to comply with GDPR requirements as well. According to a recent judgement of the European Court of Justice, controllers and processors must be able to indicate which data is processed by all parties involved.

9. Require adherence to certain notification procedures: This may include mandatory notifications if there has been unauthorized access to personal data or a breach of security. Be aware that if a notification following a data breach needs to be made, these need to be done within specific timeframes. Also, the entities involved should inform the right authorities, parties involved, as well as – under certain circumstances – the data subjects themselves.

10. Establish record keeping and audit rights: Both parties should maintain records of their activities related to the processing of personal data, and they should be open to audit rights and inspections.

The above list contains most of the key elements in ensuring that dataprocessing agreements comply with the GDPR and help protect the personal data of data subjects. In our experience, it is essential to have a well-crafted dataprocessing agreement in place before any data processing activities begin.Doing so will help ensure compliance with GDPR requirements and provide everyone involved with peace of mind.

‍