Are you obligated to sign a DPA? What laws are they based on and how do they work? Data processing agreements are a relatively new type of contract, so it’s not surprising that people still haven’t fully figured them out.
This article is intended to answer all of these questions and provide some background information on DPAs. By the end, you should understand what DPAs are, when they are applicable, what they contain, and why they are important in the modern data processing landscape.
A DPA is a legal document, a signed contract between a data controller and data processor that establishes both parties’ duties and obligations regarding the handling of customers’ personal data for business purposes in accordance with the applicable data protection laws and regulations.
Data processing agreements are sometimes called data processing addendums or data protection agreements, but all three serve the same purpose.
In simpler terms, a DPA is a contract that regulates how user data is collected, stored, processed, accessed, protected, and used. It defines all the organizational requirements and technical requirements that are needed to protect personal data.
The ultimate purpose of a DPA is to protect the personal data of users and, in case of data breaches, hold the relevant companies responsible.
For example, let’s say you run a chain of pharmacies that delivers prescription medication. You decide to upgrade your system by transferring your data to the cloud and decide to hire a software company that provides cloud services and will create custom software to transfer and store that data.
The data you are storing also includes medical and other personal information of your patients. In this instance, you are the data controller and the software company is the data processor. Depending on the applicable laws in your state, you will likely need to sign a binding DPA with your data processor.
A data processing agreement is a comprehensive agreement that should cover all the obligations and responsibilities of the data controller and data processor. As such, it should include:
Some common clauses that are found in DPAs are:
Again, a DPA is a comprehensive legal contract, so it can include many more clauses than were listed here, depending on the need of the signatories.
A DPA can also be signed between a data processor and its users (these would be the common ‘contracts’ that most people skim, if that, and agree to when signing up for online websites). While this type of DPA is not the focus of this article, here is what HubSpot’s DPA with its users looks like, as an example.
We can’t talk about data processing agreements without taking a minute to mention the General Data Protection Regulation (GDPR) of the European Union, the most important European data protection law, as this legal act is often considered the main impetus for the spread of DPAs.
This regulation entered into force in 2016 but was only enforced in 2018. It is one of the toughest security and privacy laws in the world that targets all organizations that collect and process the data of EU citizens.
Thus, for example, if a US, Brazilian, Taiwanese, or Australian company collects and processes the data of people from, let’s say, France, it must comply with the GDPR, regardless of its home country. One of the stipulations of the GDPR is precisely the obligation between data controllers and processors to sign data processing agreements.
If companies do not sign DPAs or are otherwise in breach of the GDPR, they are liable to pay exorbitant fines. We’ve mentioned the GDPR as a model regulation and legal basis that mandates the signing of DPAs, but it’s far from the only one of its kind.
Many laws worldwide obligate the data controller to provide binding instructions for the data processor on how to process data. The wording and the specific requirements of the laws vary, but they all boil down to the same thing – the need to sign a type of DPA.
There are so many laws that we can’t list them all here. So we’ll provide a couple of examples of such laws in the US:
“Imposes an affirmative obligation upon companies to safeguard personal data; to provide clear, understandable, and transparent information to consumers about how their personal data are used; and to strengthen compliance and accountability by requiring data protection assessments in the collection and use of personal data.”
You might have noticed that all three examples we brought up are laws that are coming into effect this year. It’s safe to say that passing such laws is a current trend and that we can expect most states to have similar legislation in the near future.
DPAs are obligatory when the laws of the countries where the company does business require them. But as we’ve mentioned above, you can expect most countries to have such regulations in the next few years, so considering DPAs obligatory in most cases could be a wise move.
While signing a DPA may or may not be a legal obligation, they still have benefits even if they are not mandatory. Some of the benefits are:
In short, data processing agreements can be viewed as contracts that enhance the way private data are handled.
Onboarding a software development company is similar to onboarding new staff. The general steps are:
Choosing a software development company heavily depends on the needs of your project, the deadlines, and the budget. Here are the basic steps for selecting a company:
Software development outsourcing is contracting an outside company to assist in the development of software or completely taking over the development process.
Outsourcing software development has the following primary benefits:
Based on the relationship the client company and the outsourcing partner will have, there are 3 relationship-based outsourcing models:
Based on the location of the outsourcing partner, there are 3 types of location-based outsourcing models: