Software development projects may vary, but the majority of them aim to carry out certain actions with customers' personal data. If there is a need to ask a vendor to work on your project, you will probably need to access to that information. Even if the vendor does not store it, there is a high risk of data leakages or wrong handling.
To protect yourself, you must sign a Data Processing Agreement (DPA) as part of the General Data Protection Regulation (GDPR). This law represents a legal necessity in the European Union and regulates all conditions for the preservation of all details that you will share throughout your collaboration, especially sensitive ones.
You cannot proceed to or delegate data control, processing, or sub-processing activities unless you sign a DPA contract. That’s why it is important to understand how it works and how to fill it in correctly. In this article, I will try to translate legal terms into simple language and share the relevant templates.
What is a DPA?
A Data Processing Agreement is a legal document that is signed to secure personal data that may be shared during working interactions with third parties. It is primarily used by European companies that collaborate with other countries. However, it can also be applied to any business worldwide that deals with information handling.
Purpose of DPA agreement
The ultimate goal is to guarantee a sufficient level of data protection. For example, you can secure processing of non-encrypted data like user names, date of birth, place of residence, email addresses, file activities, login-in attempts, and more.
Such information, which you will outline in your project, is sensitive because it allows a person to be easily identified. To make sure this does not happen, you have to make an agreement.
What aspects DPA data privacy agreement covers:
- the purpose of data handling;
- what information will be handled;
- in what ways it can and can’t be handled;
- how it will be kept secure;
- consequences of violating the terms of the agreement.
What is GDPR?
As mentioned before, the DPA document is a component of the General Data Protection Regulation (GDPR).
It is a European privacy regulation law that came into use in 2018. Since that time, it has obliged EU citizens to defend their data whenever there is a need to share it during collaboration. It is a bigger philosophy to harmonize data protection laws. DPA, in turn, is a physical outcome of it (in electronic or paper format) that is designed for a specific case.
Can you work without a DPA contract?
For the Eurozone, it isn’t just an option, but a legal demand. When you ignore it, you risk paying fines up to $20 million, or 4% of the global revenue (as stated in Article 83).
Who is a data controller and data processor in software development outsourcing
The lexicon of this document includes these two legal terms. What do they mean? As far as it is signed between two parties, these sides accordingly are:
- Data controller.
This is who will share data, often a European resident. In software development, it’s a client. For example, you want to collaborate with a vendor, or you are an EU product owner in search of a team outside the EU.
This side defines the purpose and means of data processing and creates DPA.
- Data processor.
This is a person or business that processes information on behalf of a controller and adheres to all directives. In the case of software development, it can be a contractor, vendor, or any other group of developers who will perform some scope of work.
This side does the job and works in accordance with the agreement.
Let’s take a closer look at the responsibilities of each of the sides.
Signing a DPA agreement as a customer (controller)
Data controller:
- transfers data;
- provides instructions to conduct operations with every piece of data outlined in the project;
- verifies that the document does not go beyond the legal boundaries;
- examines how the processor intends to use the information.
An extremely important point is that the controller is responsible for any data breaches (even if they happened on the side of the processor). As a result, it is critical to prepare a document with clear descriptions and instructions. Get acquainted with Article 24 to read the complete list of responsibilities.
Responsibilities of a service provider (processor)
Even if you are not a controller, but a processor, and decide to outsource your activities, you’ll need to sign the contract and ensure that any other sub-processor in the chain complies with the requirements.
As a processor, you are responsible to:
- provide secure data processing services;
- follow the guidelines outlined in the contract;
- handle data only after signing the agreement;
- notify the controller in case some incident or data breach happens;
- engage the sub-processor only upon the agreement.
As a matter of fact, Article 28 showcases the full list of responsibilities.
What happens after you sign the DPA with your EU customer
Once a DPA legal document is signed, the two parties bear full responsibility for carrying out everything that was agreed upon. Sometimes, controllers may require a processor to pass some certification. However, there is a very slim chance that this will occur because there is no standard GDPR-based certification available yet, and all the available options are overly complicated.
Why is DPA important in outsourcing
Software development companies typically have to outsource projects that involve data processing activities. It can be data collection, storage, disclosure, erasure, and more. Projects that fall under this category are customer management solutions, marketing analytics services, medical software, mailing or advertising services, cloud storage services, and more.
When should it be concluded?
When data controllers decide to outsource certain data processing activities, they must be able to demonstrate that their suppliers and sub-processors also provide sufficient guarantees to act in a GDPR-compliant manner.
Compared to other contracts that are used during software development collaboration with a vendor such as Software Development Statement of Work (SoW), or Request for Proposal (RFP), DPA is a tricky one. It is quite complex because it contains lots of legal issues which may distract you from the main point, which is software development.
Very often DPA is a part of a Non-Disclosure Agreement (NDA), when there is a need to share personal data.
What are the Data Processing Agreement requirements
The content of your paper should correspond to official GDPR DPA regulations. Ideally, all descriptions mentioned in the law must be the main source for writing your own paper. To save your time, I will highlight some key points you should be aware of.
Briefly about the important components of the DPA:
- Description of the data.
The first element to describe is the data itself. Mention every sensitive element of the project that is to be shared. Maybe these are the customer’s names, home addresses, or mobile phones? Do not ignore even the slightest details.
- Description of allowed and forbidden ways of processing data.
How will data be encrypted, accessed, stored, and tested? Can both parties ensure the confidentiality, integrity, and resilience of processing systems and services? If there is a need, dive deeper in to the technical level and mention desired tools or databases.
- Data controller’s area of responsibility.
What actions should be taken by the data controller in the case of unwanted scenarios of data handling? Does the controller need to provide access to the data, or transfer it in a certain format?
- Data processor’s area of responsibility.
Determine the period during which the processor has the right to operate with data. What are the security measures? What actions will the processors perform with information? State all the responsibilities of the side that will work on the project.
Keep in mind that the data controller is responsible for creating the contract and all subsequent meetings that are needed to make it valid.
The content of the DPA data processing agreement should be specific. Everyone should be clear about what is expected. No gaps or room for interpretation. That is why it is critical to define exact roles and responsibilities for both controllers and processors.
Data processor agreement template
Prior to preparing the draft for your paper, review several valid examples of existing contracts. I suggest examples published by well-known enterprises. All of them relate to software development, so that may help you design your own paper more efficiently:
Some examples above use detailed structures, and some present minimalistic definitions. It is up to you to choose the pattern that is the most suitable for your case.
You can also check out the data processor agreement template on the GDPR official website. As an alternative, take a look at our free template that contains all the required elements.
Summing it up
When data is exchanged, a Data Processing Agreement is a must to keep the protection in place. No matter whether you intend to collaborate with a third-party service or you provide such services, this contract must be an essential part of your collaboration. Make sure your paper is conducted in accordance with all the requirements, and both data processors and data controllers are well aware of them.
Do you want to find the right team but get tired because of hiring and administration hassles? Feel free to contact Altigee and discuss your software engineering needs..
With access to a large talent pool and our expertise, we can find a powerful and reliable team as per your needs. As a result, you can focus on more priority tasks.
Let’s build great products together!