Most Important Points Regarding Data Processing Agreements
- An order processing contract (AV contract), also known as a Data Processing Agreement (DPA), is required under Article 28 of the General Data Protection Regulation (GDPR). This applies when a company (controller) commissions a service provider (processor) to process personal data.
- The DPA contract regulates the data protection rights and obligations of both parties. Key aspects include the controller's authority to issue instructions and the processor's obligations regarding data security.
- The minimum contents of a DPA include the subject matter and duration of the processing, its type and purpose, the categories of personal data and data subjects, and the processor's confidentiality obligations. It also specifies technical and organizational measures (TOMs), subcontracting relationships, and the deletion of data after contract termination.
- Transferring data to a service provider without a valid DPA violates the GDPR. This carries a significant risk of fines and civil liability.
- Startups should proactively assess where they use external service providers, such as for cloud hosting or newsletter services, and ensure corresponding DPA contracts are in place.
Purpose and Scope of the Data Processing Agreement
A Data Processing Agreement (DPA) protects personal data. The General Data Protection Regulation (GDPR) mandates such agreements when a controller (the commissioning company) engages an external service provider. This applies if the service provider collects, uses, or stores personal data on the controller's behalf.
Typical examples include cloud services, hosting providers, newsletter dispatch services, analytics tools, or external payroll accounting. The DPA ensures that the service provider processes data only in accordance with the controller's instructions and within the scope of the GDPR.
Legal Requirements: Article 28 GDPR
Article 28 GDPR outlines the specific minimum points that a DPA must regulate. These provisions ensure comprehensive data protection:
- Purpose and duration of processing: This defines the service provided and the timeframe for data processing.
- Type and purpose of processing: For example, the storage of customer data for sending newsletters.
- Type of personal data and categories of data subjects: Such as contact details of customers.
- Obligations and rights of the controller: The controller, for instance, retains the right to issue instructions and must be able to exercise this right effectively.
- Obligations of the processor: This includes processing data strictly according to documented instructions and ensuring confidentiality among all personnel handling the data. Furthermore, the processor must implement suitable technical and organizational measures (TOMs) to protect data, such as encryption and access restrictions.
- Subcontracting relationships: The processor may only engage further subcontractors with the controller's explicit approval. These subcontractors must be contractually bound by the same data protection obligations.
- Support obligations: The processor must assist the controller in fulfilling data subject rights, such as information access and erasure requests. They must also support obligations like data protection impact assessments.
- Return/deletion: Upon completion of processing, the processor must delete or return all personal data at the controller's discretion. This is unless a statutory retention obligation dictates otherwise.
- Controls and evidence: The controller has the right to audit the processor's data processing activities. The processor must be able to demonstrate compliance with all implemented measures.
Obligations of Controller and Processor
Concluding a DPA alone is not enough; both parties must continuously fulfill their agreed obligations.
- Controller: The controller remains the master of the data. They must carefully select the processor, ensuring sufficient guarantees are in place. Furthermore, the controller is responsible for clearly issuing and documenting instructions, and conducting checks or audits as necessary. Additionally, the controller must inform data subjects and maintain a register of processing activities, including commissioned processing.
- Processor: The processor must only use data as contractually agreed and according to instructions. They are obligated to keep security measures up-to-date and report data breaches to the controller (Art. 33 GDPR). All supporting activities, such as assisting with requests for information, must be provided without unreasonable delay.
Both parties should conclude the DPA in writing or text form. Although GDPR requires written form, electronic form is generally accepted. Proper archiving of these documents is also essential.
Consequences and Significance for Startups
Violating Article 28 GDPR by processing personal data through third parties without a necessary Data Processing Agreement can lead to severe consequences. Companies may face substantial fines, in serious cases up to EUR 10 million or 2% of annual global turnover. There is also a risk of claims for damages from data subjects if data breaches occur under data protection law.
It is therefore essential for startups to gain an early overview of all outsourced data processing. Typical services include web analytics, cloud hosting, external support, or marketing tools. For each of these, businesses must verify if a contractual relationship exists and if a DPA is required. Many large service providers offer pre-formulated DPA contracts, often available online. It is advisable to securely store these documents and regularly review whether data processing still aligns with the agreed framework.
Fazit
The Data Processing Agreement (DPA) is a critical component of GDPR compliance for any company engaging third-party service providers to handle personal data. It safeguards data, mitigates legal risks, and clarifies responsibilities between controllers and processors. Startups, in particular, must prioritize establishing and maintaining robust DPAs to avoid hefty fines and protect their reputation in a data-driven world.