Data processing agreement (DPA): Definition, content & pitfalls

What is a data processing agreement?

A data processing agreement (DPA) is a civil law contract whose subject matter is the performance of data processing activities. As a contract under civil law, the content of a DPA - with the exception of the mandatory content of Art. 28 para. 3 of the General Data Protection Regulation (GDPR) - is generally left to the discretion of the contracting parties, due to their private autonomy.

This means that the controller and the processor may, at their discretion, agree on further rights and obligations in the GDPR, as long as this does not deviate from the provisions of Art. 28 GDPR, deviate in an unauthorised manner or undermine the mandatory content through contractual provisions.

What is data processing and when do you need a data processing agreement?

Data processing is the processing of personal data by a natural or legal person, public authority, agency or other body on behalf of the controller (Article 4(8) GDPR). In simple terms, data processing on behalf is the outsourcing of data processing to external parties. In these cases, there is always an obligation to conclude a corresponding data protection agreement. 

The examination of the specific constellation is important, as it assigns and defines the responsibility for data processing in interaction with the other actors under the GDPR. Order processing is characterised by two features that must be present together:

1. The controller decides on the purposes and means of data processing, and
2. the processor is subject to the controller's instructions.

It is also necessary that a processor is a legal or natural person outside the controller. Therefore, the employees or departments of a company can never be processors for their employer (the controller).

The GDPR is silent on the question of which specific processing activities could constitute order processing. In principle, therefore, all forms of processing activities can be considered as order processing. 

Typical examples of order processing are:

• Cloud computing or SaaS applications
• Hosting / backup management
• Call centre activities
• Newsletter service providers
• Digitisation of documents and/or archiving

However, activities whose main purpose is not the processing of personal data, but which inevitably involve systematic and extensive access to personal data, are also included.

This can be assumed, for example, in the case of IT support, as they have de facto access to the data on a regular basis. Activities where data processing is only incidental, such as customer service in a call centre, are also covered.

What is not data processing?

It is difficult to make a standard statement as to what data processing activities do not constitute order processing. Rather, it has to be assessed on a case-by-case basis and on the basis of the activity to be carried out whether it is order processing.

In any case, cases in which the authorised representative (also) takes decisions on the purposes and means of processing or (also) processes personal data for his own purposes do not constitute data processing.

At least the following activities are not considered as data processing

• Postal and transport services
• Banking institutions and payment service providers
• Activities of persons subject to professional secrecy (lawyers, doctors, tax advisors, etc.)

What is the difference between data processing and order handling?

Contract processing must be strictly distinguished from joint or separate controllership.

Joint Controllership pursuant to Art. 26 GDPR (so-called joint control)

In the case of joint controllership, two or more controllers jointly determine the purposes and means of the processing. As with subcontracting, joint controllership requires a contract between the controllers.

The main difference with order processing is that, in the case of joint controllership, each controller must comply with the obligations applicable to it under the GDPR. For example, each controller must be able to demonstrate that the data processing is based on a legal basis. Each controller must also independently fulfil the information obligations under Art. 13 and 14 GDPR.

Separate responsibility

Separate responsibility is not explicitly regulated in the GDPR. In the case of separate responsibility - in contrast to joint control - there is no joint decision on the purposes and means, but each controller makes this decision independently and separately. There is also no obligation to follow instructions in the relationship between the separate controllers.

What can or must be regulated in the data processing agreement?

The required mandatory content of a DPA is set out in Art. 28 GDPR. 

Description of the data processing (Art. 28 para. 3 sentence 1 GDPR)

First, the DPA must describe the data processing in detail and precisely. This includes determining the scope, duration, nature and purpose of the data processing. It must also list the types of personal data and the categories of data subjects (e.g. employees, customers, suppliers, etc.).

Obligations and rights of the controller (Art. 28 para. 3 sentence 1 GDPR)

In addition, the rights and obligations of the controller should be defined. The specific rights and obligations are not explained in detail. In particular, it is conceivable that the controller will be responsible for verifying the general permissibility and lawfulness of the data processing.

Obligation of the processor to follow instructions (Art. 28 para. 3 sentence 2 lit. a GDPR)

A contractual provision is required that obliges the processor to process the personal data only in accordance with the documented instructions of the controller.

The instructions serve as a contractual definition of the services to be provided by the processor, including technical and organisational measures, and may also contain further specifications regarding the handling of the data.

In addition to the specific type and manner of data processing, the obligation to follow the instructions also includes whether the personal data may be processed outside the scope of the GDPR. However, the contract must also include the legal exception to the obligation to follow instructions.

This is because if the processor is obliged to process the data under Union law or the law of the Member State to which it is subject, it is not bound by the instructions. The processor must then carry out the processing, but must inform the controller in advance of the legal requirements.

In addition, the instructions must be documented, although a specific form is not required, but such a specification in the DPA is recommended. This is to ensure that the processor's processing operations remain traceable and can be reorganised if necessary.

Confidentiality (Art. 28 para. 3 sentence 2 lit. b GDPR)

The processor must ensure and contractually commit that the employees involved in the data processing are bound to confidentiality or are subject to an appropriate confidentiality obligation. As a rule, employees are already bound to confidentiality by virtue of their employment relationship.

Technical and organisational measures - TOMs (Art. 28 para. 3 sentence 2 lit. c GDPR)

The contract must stipulate that the processor takes all technical and organisational measures required under Art. 32 GDPR.

The measures to be taken are listed in Art. 32 GDPR. [Sub-processors (Art. 28 (2), (3) sentence 2 lit. d and (4) GDPR)

The contract must stipulate the conditions of Art. 28 (2) and (4) GDPR for the use of the services of another processor. Art. 28 (2) GDPR concerns the modalities under which the processor may appoint additional sub-processors.

The law provides for two options: On the one hand, the use can be subject to a separate authorisation - in this case, the processor can only commission additional sub-processors with the consent of the controller. On the other hand, the controller may also grant a general written authorisation, which allows the processor to use other sub-processors without prior consent.

Regardless of how the processor is authorised to use new sub-processors, the processor must also conclude a data processing agreement with them pursuant to Art. 28 (4) GDPR. The contract must meet the requirements of Art. 28 para. 3 GDPR.

Assisting the processor in safeguarding the rights of data subjects (Art. 28 para. 3 sentence 2 lit. e GDPR)

In order to ensure the effective enforcement of the rights of data subjects (Art. 12 to 23 GDPR), the processor must assist the controller in responding to such requests by taking appropriate technical and organisational measures. For example, the processor is regularly obliged to forward requests for information to the controller and to provide the information necessary to respond to the request.

Assisting the processor in complying with the obligations under Art. 32 to 36 GDPR (Art. 28 para. 3 sentence 2 lit. f GDPR)

In addition, the processor must be assisted in complying with the obligations under Art. 32 to 36 GDPR. This includes, in particular, the obligation to support the notification of personal data breaches and the performance of data protection impact assessments.

Return or deletion of data after termination of the contract (Art. 28 para. 3 sentence 2 lit. g GDPR)

The contract must contain a provision for the return and/or deletion of the data processed in the order. The data controller may decide whether the data should be returned or erased. However, this obligation does not apply to data that the processor must retain in order to comply with legal obligations.

Control and audit rights of the controller (Art. 28 para. 3 sentence 2 lit. h GDPR)

The processor must provide the controller with all information necessary to demonstrate compliance with the obligations set out in Art. 28 GDPR. In addition, the controller must be authorised to carry out on-site inspections, either in person or through external auditors.

Obligation to provide information (Art. 28 para. 3 sentence 3 GDPR)

In addition, a provision is required according to which the processor must immediately inform the controller if it believes that an instruction violates the GDPR or other applicable data protection laws.

What are processors required to do?

First, of course, the processor is obliged to comply with the contractual provisions. However, there are also other obligations for the processor under the GDPR. 

According to Art. 30(2) GDPR, the processor is obliged to keep a record of processing activities (ROPA) for the processing carried out on behalf of a controller. In contrast to the ROPA that the controller must keep, this is a much shorter version. According to Art. 33(2) GDPR, the processor must also notify the controller without delay if it becomes aware of a personal data breach.

Furthermore, according to Art. 31 GDPR, there is an obligation to cooperate with the supervisory authority. As a rule, the processor must also appoint a data protection officer pursuant to Art. 37 GDPR. To find out when a DPO is required and what his or her duties are, read this article. If the processor does not have an establishment in the EU, a representative must be appointed in accordance with Art. 27 GDPR.

What are the common pitfalls of DPAs?

The content of a DPA should always be carefully scrutinised. It is not uncommon for the contract to contain clauses that significantly disadvantage one of the parties and may even be impermissible.

Restriction of control and audit rights

It is not uncommon, for example, for the controller's rights of control and audit to be severely restricted. For example, the controller may be allowed to exercise his rights of inspection only at certain times and with a longer period of notice, or he may be allowed to exercise this right of inspection only once a year. There are also restrictions to the effect that not the controller but only external auditors appointed by the processor himself may carry out the inspection.

Cost bearing regulations

Very often, data processing contracts also contain provisions on the bearing of costs, e.g. for the exercise of control rights or for the various support services: First and foremost, support for the processor in responding to requests from data subjects and in the event of data breaches. Such cost-bearing arrangements are viewed critically by data protection supervisory authorities, as Art. 28 GDPR does not provide for such costs and these are legal obligations of the processor. 

In principle, the principle of private autonomy does not prohibit a cost-sharing scheme out of hand. However, if the costs are so high (or completely undefined) and have such a deterrent effect that the data controller refrains from exercising his rights of control and audit, for example, this may mean that the legal requirements of Art. 28 para. 3 GDPR cannot be considered to be met.

Limitation of liability

In addition, limitations of liability are often included in the DPA or the DPA refers to the limitation of liability in the main contract. The liability amounts are usually so low that only a fraction of the possible fines paid by the controller would be covered. In the end, the controller would be left with a large portion of the fine, even though the processor may be largely or entirely responsible for the breach.

Unilateral contract amendments

Another area of conflict, which has less to do with the content of the contract than with the behaviour of the contracting party, concerns "secret" and unilateral contract amendments, usually by very dominant suppliers. Such unilateral changes are only allowed under very strict conditions - a standard that most change clauses do not meet.

In addition, constant amendments make it difficult to understand which version of the contract is actually applicable. Therefore, the original DPA, including the TOM and the list of subcontractors, should be downloaded and saved in order to be able to prove in an emergency which version of the contract and which content actually became part of the contract.

What happens if I do not have a data processing agreement or if I have an incorrect one?

An inadequate or even missing (but required) data protection agreement can have significant consequences for the data controller.

First, a breach of Art. 28 GDPR can be punished with a fine (Art. 83 para. 4 GDPR). The fine can be up to €10 million or up to 2% of the annual worldwide turnover. 

In addition, a violation of Art. 28 GDPR may also lead to claims for damages by the data subject for material and non-material damage against the controller and the processor pursuant to Art. 82 GDPR.

It should be noted that the processor is only liable for damage caused by processing if it has failed to fulfil its specific obligations under the GDPR or has acted in disregard of, or contrary to, the lawful instructions of the controller (Art. 82(2)(2) GDPR).

Who is liable for fines in the case of data processing?

In principle, both the controller and the processor can be fined. However, the question arises whether a fine can also be imposed on the controller if the processor has processed the data unlawfully.

The European Court of Justice (ECJ) has ruled on this issue in case C-683/21. According to the ECJ's case law, the controller remains responsible for the processing carried out on its behalf, which means that a fine can also be imposed on it under Art. 83 GDPR, if personal data have been processed unlawfully and the processing has been carried out by a processor.

However, this principle does not apply in cases where the processor has processed personal data for its own purposes or has processed such data in a manner that is incompatible with the framework or modalities of the processing as determined by the controller or in a manner that cannot reasonably be assumed to have been authorised by the controller. In this case, the processor acts as controller for these processing operations in accordance with Art. 28 para. 10 GDPR.

Data processing contracts also regularly contain provisions on the allocation or limitation of liability. These clauses often set out who is liable for claims for damages by data subjects, or who will bear the cost of a fine, and to what extent.

Care must be taken here: In principle, B2B companies can make contractual arrangements for the allocation of liability. However, these rules only apply internally, i.e. in the relationship between the controller and the processor. In the external relationship, i.e. the relationship between the controller or processor and third parties, limitations of liability have no effect. Their sole purpose is to ensure that, in certain circumstances, one of the parties to the contract can take recourse in accordance with the liability regime.

It is therefore not possible for a limitation of liability to work to the detriment of the data subject or for a contractual provision on the allocation of liability for a fine to affect the activities of the supervisory authority.

Who is responsible for data protection in the case of outsourcing?

Even if data processing activities are outsourced and therefore no longer carried out directly by the controller, this does not relieve the controller of its obligations under data protection law.

In principle, the controller remains responsible for the data processing and, in particular, for the lawfulness and legitimacy of the data processing, for safeguarding the rights of the data subjects and, in principle, for liability towards the data subjects.

Outsourcing does not therefore mean that the controller transfers its data protection obligations to the processor.

What about processors from third countries?

If processors from third countries - i.e. countries that are not members of the EU or the EEA - are commissioned, the additional requirements of Art. 44 et seq. GDPR must be observed. Art. 44 GDPR establishes the principle that data processing outside the EU/EEA is only permitted if appropriate safeguards are in place to maintain a level of data protection comparable to that of the GDPR.

According to Art. 45 and 46(2) GDPR, appropriate safeguards are

• adequacy decisions,
• binding corporate rules (BCRs),
• standard contractual clauses and
• approved codes of conduct.

Thus, a controller who wishes to use a processor from a third country must implement one of these safeguards to secure the data processing. In the highly relevant case of using US service providers, two variants are of particular importance.

On the one hand, data processing can be based on the adequacy decision for the US, the Data Privacy Framework (DPF). This requires the service provider to be certified in accordance with the DPF.

The EU Commission's standard contractual clauses for data transfers to third countries are another option. The standard contractual clauses can generally be used for all data transfers to third countries.

Several modules are available for the contractual clauses, which are adapted to different constellations of data transfers. It is usually necessary to carry out a so-called transfer impact assessment, in which the data protection modalities of the third country are evaluated and technical and organisational measures are checked for their adequacy.

Can I just use a standard contract for the order processing agreement?

In principle, a model contract can be used. However, in the case of model contracts, the contract should be thoroughly checked and, in particular, it should be assessed whether the contract still meets the current status and the requirements of the supervisory authorities. It is also important to check whether the contract is free of unfavourable clauses.

In the meantime, the EU Commission has also made use of its powers under Art. 28 para. 7 GDPR to issue standard contractual clauses for an order processing contract and has published them.

However, the EU Commission's standard contractual clauses are limited to the legally required contents of Art. 28 para. 3 GDPR. In addition, the user has to select options for various clauses. For example, a choice must be made as to whether the processor is allowed to appoint new sub-processors with the right to object, or whether this is dependent on the consent of the controller.

Ultimately, however, the EU Commission's standard contractual clauses provide a solid framework for a data protection agreement. At the end of the day, however, a contract should always be adapted to the individual case and reviewed accordingly.

What should you do about order processing?

First of all, order processing contracts should be reviewed before they are concluded or professionally drafted from the outset with the help of data protection experts. In the latter case, customer or contractor-friendly clauses could be implemented directly.

In addition, an overview of service providers should be drawn up, listing all processors carrying out processing activities, in order to be able to react quickly to any need for changes, e.g. following court rulings or publications by supervisory authorities. Contracts and other necessary documents should be carefully documented and filed.

How does ISiCO help you with the DPA?

Our data protection experts will review both the data processing contract and the service provider for you. We will check whether the information in the DPA corresponds to the actual circumstances of the processing.

As part of the review, we will give you feedback on whether the contract needs to be adapted and, if you wish, we can also negotiate the contract with the service provider.

Of course, we can also draft your own order processing contract and tailor it to your needs. We can also help you implement a service provider management system, including the necessary documentation.