GDPR Controller To Controller Data Processing Agreement Template
Introduction
Personal data collected by a data controller is considered a commodity that can be sold or shared to other data controllers. The DPA between two data controllers lays out the agreement on how the personal data will be shared, what it will be used for, how it will be kept safe and how long it will be stored. It basically explains how all parties involved will adhere to all the GDPR stipulations.
Scope and Purpose
The DPA between two data controllers focuses on the GDPR statutes, guidelines, and obligations that the data controller has committed to and how the sharing of the data can be utilized by both parties. This is regardless of the location of any one of the data controllers, if at least one of them is within the EU borders.
A DPA can be signed between various organizations; each agreement has a different goal, responsibility scope, and definitions. Since the DPA is a legal contract, it must be documented in clear, everyday language and may be asked to be reviewed in an audit (both internal and external).
The agreement typically focuses on these key points –
1. Purpose: Outlines the roles and responsibilities of each data controller.
2. Dispute resolution: Describes the flow of escalations and authority of each side of the DPA, in case of non-compliance.
3. Legal: Focuses on the obligations of the data processors, focusing on how they will keep the personal data safe and secured.
4. Processing scope: Determines the duration that the personal data will be stored by the data controllers, and any type of limitations to the data processing.
5. Security measures: Outlines the tools and processes that the data controllers will implement to safeguard the personal data.
6. Notifications: The requirements of the data controllers in case of a data breach.
7. Audits: The agreement may include provisions allowing the data controllers to audit each other regarding compliance with the GDPR requirements, ensuring accountability and transparency.
Required Fields in the DPA
The agreement should include the following fields –
1. The Name and details of the data controller organizations, along with the DPO’s credentials.
2. The purpose of the legal agreement.
3. The responsibilities of each data controller, are divided into topics.
Obligations of both Data Controllers
1. Notify each other immediately when a data breach has occurred, and then the data subjects who may have been impacted as a result.
2. Safeguard personal data using the latest offerings in terms of data masking, transfer, and cloud-native protection to keep personal data safe.
3. Store the personal data for no longer than is necessary.
4. Obey all the GDPR safeguarding statutes, allow the end-users to query their personal data and make changes to it if requested.
Term Definitions
What is a Data Controller?
An organization or person who determines the use of the collected personal data from the data subjects. The data controller owns the collected personal data, decides in which ways it will be processed and bears the sole responsibility for safekeeping it.
What is a data subject (also known as an end-user)?
Any person who created a unique username on the organizations’ website, thus giving them the possibility of using that username to perform certain tasks and use features offered on the website.
What is personal data?
Any type of unique data which relates to an individual data subject. This can include such information as Name, phone number, Email address, ID number, health records, political opinions, IP address, etc.
What is the processing of personal data?
Any act that is performed on the collected personal data of all the organizations’ data subjects. This may include such actions as storing the data, analyzing it in any way to extract insights or deleting it once it’s no longer required.
What is a DPA (Data Processing Agreement)?
An agreement between two independent organizations, which describes their obligations and rights in terms of processing and guarding the personal data of the data subjects.
What is a data breach?
Any intentional or unintentional security incident, which involves the sharing of personal data with any unauthorized element. Sharing of personal data may include the viewing, copying, stealing, or altering of the personal data.
Key Takeaways / Conclusions
1. A DPA goes a long way in detailing the rights and commitments of both parties of the agreement and can assist in resolving any conflict in the future.
2. Serves as a “to-do” list while dealing with a data breach.
3. Demonstrates compliance with the GDPR statutes for any supervisory authority (internal and external)