When a controller engages a processor, the GDPR requires that the parties enter into a specific contract that contains certain mandatory provisions. This contract is often referred to as a ‘data processing agreement’ or ‘DPA’. To facilitate compliance with this requirement, the GDPR has provided the European Commission with the power to issue standard contractual clauses (‘SCCs’), which essentially constitute a template DPA. The idea being that if controllers and processors implement the standard contractual clauses, they have entered into a DPA that complies with the GDPR. The data processing SCCs should not be confused with the European Commission’s standard contractual clauses for data transfers outside of the EEA, which serve a different purpose.
Last November, the European Commission published data processing SCCs in draft form, and launched a public consultation to solicit feedback from stakeholders. On January 14, 2021, the European Data Protection Board (‘EDPB’) and European Data Protection Supervisor (‘EDPS’) issued a joint opinion in which they offer comments and suggestions with regard to the European Commission’s proposed data processing SCCs. At this point in time, it is unclear whether the European Commission will incorporate all of the comments and suggestions put forward by the EDPB and EDPS in its final version of the data processing SCCs. Nonetheless, the EDPB – EDPS joint opinion provides useful insight into the EU data protection regulators’ expectations when it comes to data processing agreements. We have distilled the following key takeaways from the joint opinion:
- DPAs that merely restate the mandatory provisions in Article 28 of the GDPR are unlikely to pass muster with EU data protection regulators. In the opinion of the EDPB and EDPS, DPAs should include additional provisions and clarifications as to how the corresponding controller/processor obligations will be fulfilled in practice. Put differently, DPAs should not only list the relevant controller/processor obligations, they should also explain with a sufficient level of detail how these obligations will need to be complied with. A few examples provided by the EDPB/EDPS:
- As regards the controller’s choice to have all personal data deleted or returned at the end of the agreement (per Article 28 (3) (g) GDPR), the DPA should specify that the controller can modify that choice throughout the life cycle of the DPA and upon termination.
- If the DPA provides the processor with the possibility to propose an auditor (with a view to complying with Article 28 (3) (h) GDPR), the DPA should also make it clear that the ultimate decision about the auditor will be left to the controller.
- If the processor has notified the controller that its instructions infringe the GDPR (per Article 28 (3) (h) GDPR), the DPA could stipulate, for instance, that the processor is entitled to suspend the implementation of the controller’s instructions until the controller confirms, amends or withdraws its instructions.
- DPAs often focus on processor obligations and requirements under the GDPR. Care must be taken, however, that the DPA also sets out clearly the rights and obligations of the controller(s). In the view of the EDPB and EDPS, it is – for example – advisable to stipulate that the controller has the right and obligation to make decisions about the purposes and means of the processing that the processor will carry out on behalf of the controller. Also, in some scenarios (g., hosting services) the DPA should impose an obligation on the controller to provide all useful information that the processor needs in order to assess and ensure that appropriate data security measures are put in place.
- When there are more than two parties to a DPA, the DPA should detail the allocation of responsibilities and clarify which data processing is carried out by which processor(s) on behalf of which controller(s), and for which purpose(s). The DPA should eliminate any confusion as to the qualification and role of each party with respect to a given processing activity. According to the EDPB/EDPS, “this is necessary for the parties to be able to determine who is processing which personal data for whom and for what purpose, and what instructions are applicable and who is allowed to give instructions. Any ambiguity would make it impossible for controllers or processors to fulfill their obligations under the accountability principle”.