The Processors' Agreement (DPA).

What is a processor agreement?

A processor agreement, also known as a Data Processing Agreement (DPA), is a legally binding agreement between a controller and a processor of personal data. This agreement is mandatory under the General Data Protection Regulation (GDPR) When an organization (the controller) has personal data processed by another party (the processor).

The processor agreement establishes the rights and obligations of both parties with respect to the processing of personal data and ensures that personal data are processed in accordance with the applicable data protection law.

When is a processor agreement required?

A processor agreement is required when:

An organization (controller) has personal data processed by an external party (processor)
The processor acts on behalf of and in accordance with the instructions of the controller
It involves personal data as defined in the AVG/GDPR

Practical examples where a processor agreement is required:

A company that hires an outside payroll service
A web shop using a hosting provider
An organization using cloud storage services
A company that hires a marketing agency for email marketing
A physician who has a patient record managed by an outside service provider

Essential elements of a processor agreement

According to Article 28 of the AVG/GDPR, a processor agreement must contain at least the following elements:

1. Subject and duration of processing.

Clear description of processing activities
Specification of the purpose of processing
The term of the agreement
The duration of processing

2. Nature and purpose of processing.

Detailed description of processing activities
The purpose for which the data is processed
The categories of personal data being processed
The categories of data subjects whose data are processed

3. Instructions from the controller

Clear instructions for the processor on how to process the data
Provision that the processor may only act in accordance with these instructions
Procedure for giving additional instructions

4. Confidentiality

Guarantee that persons with access to the data have a duty of confidentiality
Measures to ensure confidentiality
Access restriction to persons who need the data for their work

5. Security measures

Specification of technical and organizational security measures
Procedures for regular testing and evaluation of these measures
Measures to ensure the integrity, availability and resilience of processing systems

6. Subprocessors

Conditions for engaging sub-processors
Procedure for prior consent or objection
Obligation to impose the same data protection obligations on sub-processors

7. Rights of data subjects

Assistance in fulfilling obligations to affected persons
Support for requests for inspection, rectification, erasure or restriction
Procedures for forwarding requests from data subjects.

8. Assistance to the controller

Security compliance support
Assistance in conducting data protection impact assessments (DPIA)
Help with reporting data breaches
Assistance in consulting the supervisory authority

9. Data breach

Procedure for reporting data breaches to the controller
Time frame within which notifications must occur
Information to be provided in the event of a data breach

10. Data deletion or return

Provisions on what happens to data after termination of services
Procedure for securely deleting or returning data
Removal of existing copies

11. Audits and inspections.

Controller's right to conduct audits
Processor's obligation to cooperate with audits
Procedures for conducting inspections.

12. International data transfers

Conditions for transfer of data outside the EEA
Ensuring adequate protection in international transfers
Use of standard contract provisions or other legal mechanisms

Considerations for the controller: how do you draft a DPA for your benefit?

As a controller, you want to maintain maximum control over the processing of personal data and limit your liability risks. How can you draft a processor agreement to your advantage?

1. Include far-reaching audit rights

Include the right to conduct unannounced inspections
Control lower audit costs
Provide for the use of external auditors of your choice
Make sure you have visibility into all relevant documents and systems

2. Strict liability provisions

Limit or eliminate processor liability limitations
Include that the processor is directly liable for violations
Define broad indemnification obligations for the processor
Set higher penalties for breach of contract

3. Enforce detailed security measures

Specify concrete technical and organizational measures rather than general obligations
Require regular security certifications (ISO 27001, SOC 2)
Include the right to demand additional measures at no additional cost
Require penetration testing and vulnerability assessments

4. Strict control over sub-processors

Require prior written consent for each sub-processor
Maintain right to object to sub-processors without justification
Requires processor to assume full liability for sub-processors
Require direct contractual relationships between you and sub-processors

5. Broad incident reporting requirements.

Shorter deadlines for reporting data breaches (e.g., 24 hours)
Comprehensive incident documentation and disclosure requirements
Obligation to cooperate fully in investigating incidents
Ability to direct the processor in handling incidents

7. Extended duty of cooperation at no additional cost

Include that all assistance and cooperation must be provided at no additional cost
Specify concrete support obligations for DPIAs, supervisory investigations and data subject requests
Obligation to proactively advise on compliance issues
Require technical and organizational assistance without limitation in time or scope

6. Expanded termination rights

Broad termination options for non-compliance with the agreement
No notice or fees when terminating after incident
Commitment to free support for migration to other processor
Detailed procedures for data removal or transfer

Considerations for the processor: how do you draft a DPA in your favor?

As a processor, you want to keep your obligations manageable and limit your liability. How can you draft a processor agreement to your advantage?

1. Limit your liability

Include clear limitations of liability (limited to direct damages)
Set a cap on liability (e.g., total fees paid over 12 months)
Excludes liability for indirect damages, consequential damages or loss of profits
Limit fines and damage claims for incidents

2. Flexible arrangements for sub-processors.

Provide general prior authorization for categories of sub-processors
Provide a reasonable objection period (e.g., 30 days) with objective criteria
Limit your control and liability obligations for sub-processors
Provide the ability to charge reasonable fees when changing sub-processors

3. Workable audit provisions.

Limit audits to once a year based on advance notice
Stipulation the right to pass on the cost of excessive audits
Limit access to confidential business information during audits
Suggest using existing audit reports (SOC 2, ISO) as a substitute

4. Reasonable security obligations

Formulate security measures as effort obligations rather than result obligations
Maintain flexibility to adapt security measures to changing circumstances
Provide reasonable fees for additional security measures
Avoid concrete security standards that may not be feasible

5. Realistic incident reporting deadlines.

Formulate reasonable notification deadlines for data breaches (e.g., "without unreasonable delay")
Limit the scope of information to be provided in incidents
Include caveats regarding completeness of incident information
Provide reasonable fees for extensive investigations after incidents

7. Clear cost arrangement for assistance and cooperation.

Specify that additional support will be billed at normal hourly rate
Determine that unreasonable, excessive or frequent requests incur additional costs
Limit the "standard" obligation to cooperate to a reasonable number of hours per month/year
Provide the ability to quote in advance for complex requests
Provide compensation for changes in legislation that require additional work

6. Protection upon termination

Include reasonable notice periods
Provide post-termination transition support benefits
Specify data retention or deletion period
Limit post-termination obligations to what is strictly necessary

Common mistakes with processor agreements

1. Standard agreements without modification

Many organizations use standard agreements without adapting them to the specific processing situation. This can lead to ambiguities and non-compliance with the AVG/GDPR.

2. Insufficient specification of security measures.

Security measures are often described too generally, without concrete specifications. This makes it difficult to check whether the measures are sufficient.

3. Unclear agreements on sub-processors.

Agreements on engaging sub-processors are often vague, making it unclear what procedures should be followed when engaging new sub-processors.

4. Inadequate data breach procedures.

Data breach notification procedures are often incomplete, which can cause delays in reporting a data breach to the supervisory authority.

5. Missing agreements on international transfers

When data is processed outside the EEA, specific safeguards are needed. These are often lacking in processor agreements.

Practical tips for an effective processor agreement

1. Customization is essential

Adapt the agreement to the specific processing situation
Avoid standard texts without concrete interpretation
Make sure all parties understand the agreement

2. Regular evaluation

Evaluate the agreement regularly for timeliness
Adjust the agreement in case of changes in processing
Take into account new legislation or case law

3. Clear contacts

Appoint clear contacts for privacy-related issues
Provide quick lines of communication in case of incidents
Document all communications

4. Verifiable agreements

Make agreements that are verifiable in practice
Specify how compliance is verified
Record how often audits take place

5. Proportionality

Make sure measures are proportionate to the risk
Pay more attention to sensitive data
Distinguish between different categories of data

Cost implications of processor agreements

An often underestimated aspect of processor agreements is the cost implication of the various obligations. Depending on how the agreement is drafted, these costs can vary significantly.

Potential cost items for processors

Implementation of specific technical and organizational measures
Assistance with data subject requests and data breach notifications
Support for data protection impact assessments (DPIAs).
Cost of facilitating and undergoing audits
Administrative costs of maintaining processing records.
Support for transferring or deleting data after termination

Cost control strategies

For data controllers:

Stipulate that all assistance will be provided at no additional cost
Establish that security measures are included in the standard price
Avoiding clauses that allow additional charges for "unreasonable" requests
Specify that future compliance costs will be borne by the processor

For processors:

Clearly define which services are included in the base price
Establish transparent rates for services outside the standard scope
Include conditions for price adjustments when legislation changes
Set reasonable limits on "free" cooperation obligations

Legal support for processor agreements

Drafting, reviewing and negotiating processor agreements requires specific legal expertise in privacy and data protection. Our law firm has extensive experience in:

Drafting customized processor agreements for both controllers and processors
Reviewing offered processor agreements and identifying risks
Negotiating specific provisions, including cost arrangements
Advising on AVG/GDPR compliance and the balance between obligations and costs
Assisting with disputes over processor agreements and cooperation obligations

Conclusion

A properly drafted processor agreement is essential for AVG/GDPR compliance and for a clear delineation of responsibilities between controller and processor. By paying attention to all required elements and through regular review, you can ensure that your organization complies with legal obligations and that personal data is adequately protected.

For personal advice on processor agreements or other privacy issues, please contact our office. Our specialists are ready to assist you with customized solutions that fit your specific situation.

Contact

Recent posts

Is compensation automatically due after a conviction by the European Commission for a cartel violation?

May a seizure regarding counterfeiting continue after patent expiration?

Phishing and bank fraud: when should the bank refund your stolen money?

When is a failed investment actionable scam?

Can you continue to use a trademark for a plant variety after a license expires?

Press freedom vs. reputational damage: How far may investigative journalism go on sensitive social issues?

Breach of contract in long-term service contracts: is a high severance payment always valid?

Topics

Topics

ICT Legal Guide

Contact details

Where to find us

Disclaimers