Does My Business Need to Sign a Data Processing Agreement?

As a business sharing or receiving personal data, it is essential to understand whether you need to sign a data processing agreement. In certain circumstances, a data processing agreement is mandatory under data protection laws. A data processing agreement is a contract or set of terms required for safeguarding personal data shared between a controller and processor. In this article, we will explore whether your business needs to sign a data processing agreement.

What is a Data Processing Agreement?

The UK General Data Protection Regulation (UK GDPR) governs the use of personal data in the United Kingdom and prescribes strict rules regarding the sharing of personal data. 

A data processing agreement is a written contract that is mandatory when a data controller shares personal data with a data processor. The agreement documents each party’s responsibilities under the UK GDPR to ensure that personal data is safeguarded, protected, and processed in accordance with data protection law rules.

To define the roles of the parties to a data processing agreement, a data controller is the party that decides how and why to use personal data and gives instructions on how to process personal data. In contrast, a data processor is a party that acts on the data controller’s instructions. The processor may only process the personal data as per those instructions and has no freedom to decide how to use personal data.

A data processing agreement must include several mandatory terms, which are prescribed in Article 28 of the UK GDPR. 

For instance, the agreement must set out the following:

• a description of the data processing, including the subject matter and duration of the intended processing;
• various obligations on the processor, including the need to process personal data only on the controller’s instructions and return or delete personal data;
• rules around the use of third-party sub-processors; and
• requirements to have in place technical security measures to secure personal data.

In addition to the minimum terms required by law, the parties can also negotiate terms to protect their best interests. For example, provisions such as indemnities to compensate a party for losses they suffer as a result of the other breaching the agreement. 

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Does My Business Need a Data Processing Agreement?

Understanding whether your business needs to sign a data processing agreement is crucial. Below are some key considerations and examples of when one is typically required.

1. Your Business is a Data Controller, Sharing Personal Data with a Processor

Data controllers often share personal data with third parties in everyday business. For example, companies share personal details with third-party suppliers who are external businesses.

If your business acts as a data controller, you should carefully consider which third parties you share personal data with or intend to. You must assess whether those third parties act as ‘data processors’, that is, whether they process personal data on your behalf. If so, you will require a data processing agreement with them.

Where you intend to work with a third party whom you will share personal data with, consider questions including:

• which types of personal data you share personal data with and why;
• what the third party is permitted to do with the personal data;
• whether the third party can make any decisions regarding the personal data; and
• when the third party will need to delete or stop using personal data.

The answers to these questions will help determine whether the third parties you are engaging will act as data controllers or data processors.

Here are some practical examples of when you typically need a data processing agreement.

Scenario: You Outsource HR and Payroll Work

Suppose your business is an SME employing several members of staff. You do not have the capacity to deal with payroll at your company. As such, you engage a third-party HR and payroll business to pay your staff each month. You give the supplier access to your staff details in order to deliver their services each month. Beyond this, however, the supplier will have no right to use your staff data. As such, the supplier acts as a data processor.

Scenario: Engaging a Public Relations Agency to Market Your Brand

Suppose your business is a start-up and works with a PR agency to carry out PR services to build your brand. As part of the project, the agency needs the contact details of your senior staff in order to manage the project with them. For example, the agency needs your creative director’s name and contact details to get in touch with them to discuss project milestones. After completing the project, the agency must delete all of your staff details and stop using them. The agency has no control over the use of your staff data. As such, the agency acts as a data processor.

These are some examples; however, each occasion of data-sharing requires analysis on a case-by-case basis. If, in the above scenarios, either supplier had some control over the personal data shared with them, they could, in fact, be data controllers in their own right. The parties will need a separate data-sharing agreement in such a case.

2. Your Business is a Data Processor Receiving Personal Data from Controllers

If your business receives personal data from third parties, such as customers, you need to consider whether you act as a data processor.

For example, service suppliers often act as data processors when processing customer data to deliver services.

Common examples of data processors include (without limitation):

• cloud service providers;
• IT support service providers;
• software-as-a-service suppliers;
• payroll companies; and
• software suppliers.

Again, you must analyse each data-sharing occasion on a case-by-case basis. As a supplier, you may not always act as a data processor. For instance, you may have discretion over the use of personal data your customers share with you – this may mean you also act as a data controller. 

If you are a processor sharing personal data with another processor, you will need a data sub-processing agreement. A data sub-processing agreement must prescribe various rules regarding how the sub-processor can process the controller’s data. 

As explored above, various data-sharing scenarios require careful consideration. Sometimes, analysing whether a party is a controller or processor and whether an agreement is needed can be challenging. If you are in doubt about your role or obligations, you should seek advice from a data protection solicitor. A data protection solicitor can help you by looking at your arrangement and guiding you on which type of agreement you need to put in place for UK GDPR compliance.

Key Takeaways

As a business sharing personal data, it is vital to understand whether you need a data processing agreement. This applies whether you are a controller or a processor. You should carefully assess the circumstances in which you share or receive personal data and determine whether an agreement is necessary. You should also remember that a data processing agreement is a mandatory legal requirement and not optional. If you require support with understanding whether you need a data processing agreement, you can work with a data protection solicitor to support you and help you put the correct agreements in place.

If you need advice on a data processing agreement, contact our experienced IT lawyers as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on [number or visit our membership page.