Features of Concluding a Personal Data Processing Agreement — a Column by REVERA

The presence of a Data Processing Agreement (DPA) is a mandatory requirement of European legislation today, as well as a requirement under the laws of Brazil and the United Kingdom. Legal experts from the law firm REVERA, Yulia Burmistrova and Ekaterina Yakoltsevich, explained what it is and which aspects deserve particular attention.

Yulia Burmistrova and Ekaterina Yakoltsevich

The most common situations when gaming companies need to enter into a DPA occur when they outsource processes involving personal data processing. Examples include:

• engaging third-party developers who have access to game users’ personal data;
• hiring advertising companies that display ads in an app;
• partnering with companies that send marketing communications to users (about new features in the app, game company news, etc.);
• assigning a third-party company to process personal data on their behalf.

It's easy to conclude from the above that nearly every company (hereinafter referred to as the “controller”) involves third parties (hereinafter referred to as “processors”) in one way or another for business operations and optimization of certain processes, where these processors handle personal data on behalf of and by instruction from the controller.

Despite the widespread practice, companies often face questions when drafting a DPA about terms that meet GDPR requirements, the form such an agreement should take, and other concerns.

The following text might simplify work related to drafting a DPA.

Why enter into a DPA?

Beyond DPA being a direct requirement of various laws, there are other reasons for its necessity.

When organizing personal data processing, the controller defines the main criteria for such processing. This means that the controller is responsible for how such data is used, its confidentiality, and the consequences of any potential data breach incidents.

Therefore, when engaging processors for personal data processing, the controller must ensure they provide adequate guarantees for implementing technical and organizational measures.

Thus, it's in the controller’s interest to conclude a DPA to regulate the processing of personal data by the processor: what the processor can do, what data they receive, and what mandatory data protection measures they must take. Through this, the controller primarily protects itself because if the processor violates personal data processing requirements and a data breach occurs, the controller will also bear responsibility.

What are the consequences of not having a DPA or having one that is incorrectly drafted?

The absence of a DPA is a violation of GDPR requirements. Supervisory authorities are entitled to apply various corrective measures if discovered.

The complete list of corrective measures is provided in Article 58 of the GDPR. Among them are issuing a warning for GDPR non-compliance, a requirement to bring data processing operations in line with data protection requirements, and imposing an administrative fine, which can be significant for companies because the penalty amounts can be large.

According to GDPR, a company may face an administrative penalty of up to 10 million euros or 2% of the total worldwide annual turnover from the previous financial year (whichever is greater) for the absence of a DPA.

Several cases and figures:

• Lazio Region engaged contractors for organizing call center work without a DPA. The Italian supervisory authority fined Lazio Region 75 thousand euros for this violation.
• Dedalus Biologie SAS, a medical software provider, was fined 1.5 million euros for several violations, including (1) exceeding the controller's instructions (collecting excessive personal data), (2) lacking necessary technical and organizational data protection measures (missing data encryption, etc.), (3) lacking mandatory contractual provisions with clients.
• Isweb S.p.A., an IT company providing a whistleblowing management system, was fined 40 thousand euros for not regulating its relationship with a hosting provider entrusted with data processing.

In what form should a DPA be concluded?

Depending on the relationship between the controller and the processor, differences in parameters (purpose of processing, duration, list of data, other obligations) of personal data processing, the form of concluding a DPA may vary. Typically, two forms are used:

• (1) Written – used when processor’s personal data processing has specific characteristics.

For example, a company involved in developing and publishing mobile apps engages one contractor for user technical support and another for targeted ad placements. Processing order differs between these contractors since the main processing criteria will vary based on services provided. In this case, it's advisable to conclude a DPA in writing with each specific processor.

• (2) Public offer – used when personal data processing parameters are the same.

This option is advisable when a company provides the same services to all counterparts, meaning the processing order remains unchanged when concluding a new contract. Thus, signing a separate DPA with each counterpart isn't feasible. A common DPA form can be developed and published on the company’s website, applicable to all clients using their services.

Minimum conditions that must be included in a DPA

Legislation doesn't provide an exhaustive list of conditions that should be included in a DPA. In this case, parties have some freedom in choosing terms during negotiations. However, GDPR does outline a minimum list of conditions and obligations of the parties to be stipulated in a DPA (Article 28 GDPR).

Below, we present a checklist of basic conditions that need to be included in the DPA text.

1. The DPA should describe the following processing details:

• subject and duration of processing;
• nature and purpose of processing;
• type of personal data;
• categories of data subjects;
• rights and obligations of the controller.

2. The DPA must provide for the processor's duties to:

• process personal data only based on the controller's written instructions;

The controller’s instructions may be issued in various forms: via email, CRM systems, or in the DPA text. Provisions of the DPA must clearly show that the controller, not the processor, exercises control over how personal data is processed.

If a processor acts beyond the instructions, they will be considered a controller regarding such processing and will bear responsibility to the subject as a controller.

A common example is when a processor processes personal data after the term set by the controller expires. At such a point, the processor must independently determine the legality of further processing, set parameters, legal basis, etc.

• ensure that individuals authorized to process personal data are bound by confidentiality obligations;

This obligation should apply to employees and other individuals of the processor who have access to the controller's personal data.

Confidentiality provisions may be enforced through contractual obligations with employees (contractors) or due to legal requirements.

• ensure adequate information security and technical and organizational measures for personal data protection;

Such measures include encryption, pseudonymization, the ability to ensure continuous confidentiality, integrity, availability, and resilience of processing systems and services, etc. The full list is outlined in Article 32 of the GDPR.

• comply with sub-processor engagement conditions;

GDPR allows processors to engage other persons (“sub-processors”) for personal data processing. For instance, a company (controller) might engage an advertising organization (processor) for marketing purposes and that organization may further engage another company as a sub-processor for marketing communications.

To engage sub-processors, the following conditions must be fulfilled and included in the DPA:

• • sub-processor engagement is only with the consent or notification of the controller;
  • if based on notification, the controller must have lawful mechanisms to object to a specific sub-processor;
  • a DPA must be in place between the processor and the sub-processor, imposing similar data protection obligations on the sub-processor;
  • the processor bears responsibility to the controller for the sub-processor's compliance with data protection obligations.

• assist the controller in ensuring rights fulfillment of data subjects;

The DPA should define how the controller and processor interact regarding requests from subjects exercising their rights under GDPR. For instance, a DPA might specify that the processor cannot respond to subjects' requests and must take technical and organizational measures to help the controller address data subject requests.

• assist the controller in fulfilling obligations laid down in Articles 32-36 of GDPR;

GDPR imposes several obligations on controllers to ensure personal data protection (e.g., notifying subjects and supervisory authorities of data breaches, conducting Data Protection Impact Assessments (DPIA), etc.). The DPA should clearly establish how the processor facilitates the controller's fulfillment of these obligations.

• cease processing personal data upon expiry of their processing term;

The DPA must stipulate that the processor is obligated to delete or return all personal data to the controller after processing concludes, including the deletion of existing copies.

• provide the controller an opportunity to audit for GDPR compliance and DPA terms.

The DPA must include the processor's obligations to:

• • provide the controller with all necessary information to confirm compliance with Article 28 GDPR obligations;
  • and allow and facilitate audits and inspections conducted by the controller or an appointed auditor.

***

The DPA is a key document in setting the framework for controller-processor relationships. Therefore, particular attention should be paid to drafting the DPA.