What is a Data Processing Agreement?

The UK GDPR prescribes very stringent rules around sharing personal data with third parties. Whenever your business shares personal data, mandatory rules apply. For instance, you will need to obtain a UK GDPR-compliant data processing agreement before you share the data. This article will explain what a Data Processing Agreement is and the key provisions it should cover. 

Data Controllers and Data Processors

The definition of ‘data controller’ and ‘data processor’ are fundamental concepts under the UK GDPR rules. Whether an organisation is a data controller or data processor will determine its responsibilities under the UK GDPR. A data controller is a party that decides how and why to collect and use personal data. On the other hand, a data processor is a separate party that processes personal data on behalf of the controller and as per their instructions.

For example, an employer company is a data controller of its staff data, as it collects staff data and decides what to do with it. The company uses a third-party supplier to run payroll services, as it does not have the resources to do so in-house. The payroll company acts as a data processor, as it uses the employer’s staff data to follow the strict instructions of the employer and provide a service. The third-party supplier does not decide how to use the personal data, so it needs to follow the rules set out in a data processing agreement with the employer. 

The UK GDPR states that a controller should only use a processor that provides sufficient guarantees that it will implement appropriate technical and organisational measures so that the processing will meet the requirements of the UK GDPR and safeguard data subject rights. Accordingly, data controllers must carry out thorough due diligence on intended service providers whom they wish to engage, where they will have access to their company’s personal data. 

What is a Data Processing Agreement?

Whenever a data controller uses a data processor, it is mandatory for the parties to enter into a written agreement (or another legal act) setting out each party’s obligations under the UK GDPR. This is vital to make sure that the personal data shared between the parties is always safeguarded. 

Under the UK GDPR, Data Processing Agreements must contain certain specific provisions.

The agreement should include various terms, such as a description of the data processing, including the: 

• subject matter of the processing, which explains what the processing relates to; 
• nature and purpose of the processing, which explains what processing activities you will be carrying out and why; 
• duration of processing, which explains how long the processing will be carried out; 
• types of data, which explains what sort of data you will be processing; and 
• categories of data subjects, which explains about whom the data will relate to, i.e. customers, employees, etc.

Data Processor Obligations

In addition, the Data Processing Agreement must include various other terms. Below are some of the most important parts of a data processor. 

A data processor must:

• only process personal data on the controller’s documented instructions; 
• ensure all individuals processing data have committed themselves to confidentiality;
• take all measures required to ensure the security of processing; 
• only appoint further third-party sub-processors with the controller’s consent; 
• assist the controller in giving effect to data subject rights, such as subject access requests, the right to erasure, and the right to object;
• assist the controller with its security obligations and take appropriate organisational and technical security measures to protect personal data;
• assist the controller if there is a personal data breach, including by providing assistance in notifying that breach to the data protection regulator and to data subjects as may be required; 
• assist the controller with any data protection impact assessments that the controller may carry out from time to time;
• delete or return all personal data to the controller, at the choice of the controller, after the contract ends, and delete any copies of personal data unless the law requires storage of the personal data; and 
• make available to the controller all information necessary to demonstrate compliance with its obligations and allow for and contribute to audits and inspections.

This list sets out some of the key terms, but various other terms (such as data processor indemnity obligations) are often highly advisable. 

Data Controller Obligations

If you are a controller using any third-party processors, you will need to ensure that any third-party processors whom you engage sign contracts reflecting the terms above. If you are unsure about what the agreement should contain, you should seek legal advice and ask data protection lawyers to prepare a Data Processing Agreement which is fully UK GDPR compliant.

Some large service providers will likely have their own Data Processing Agreements in place – these may be non-negotiable. You should carefully review their terms and ensure you are comfortable with them and that they comply with the strict UK GDPR requirements. 

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Key Takeaways

A Data Processing Agreement is a key document for data controllers and data processors under the UK GDPR rules and must be used when personal data is shared between parties. The agreement must contain a number of mandatory terms. Both controllers and processors must ensure that their agreements are carefully drafted for each data-sharing project they engage in and the terms are fully UK GDPR compliant.

If you need help with preparing a data processing agreement, contact our experienced IT lawyers as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.