- DPAs should strictly follow the wording of Art. 28 GDPR to avoid unintended deviations and interpretation risks.
- DPAs must define processing, duration and security measures in concrete and ongoing detail, including minimum requirements and technological progress.
- Regulations on subcontractors must ensure transparency, a genuine right of veto, direct claims and audit rights for the controller.
According to the GDPR, data controllers and data processors must conclude an agreement within the meaning of Art. 28 (3) of the GDPR (data processing agreement, ADV). Art. 28 (6) DSGVO provides that ADV may, where applicable, be based on Standard Contractual Clauses (Standard Contractual Clauses, SSC) can be based.
On this basis, the Danish Data Protection Authority has submitted a draft of such SSCs to the European Data Protection Board (EDSA). This is likely to be the model document available on the authority’s website available sample document act.
Of particular interest are the following comments from EDSA, which, while also related to proposed SCCs, are also relevant to ADV in individual cases and could be used by ADV in contract negotiations for argument purposes. Such negotiations are increasingly frequent and demanding in practice.
- In general, it makes sense to base the wording of the ADV on the wording of Art. 28 GDPR in order to avoid the impression that deviations are intended.
- DurationADV should not be terminable separately from the underlying service agreement as long as data processing continues. In practice, ADV start at the latest with the first data processing and end at the earliest with its end.
- Data security measures:
- The data security measures to be taken by the processor must take account of technical progress in each case – i.e. throughout the duration of the commissioned processing.
- The ADV should specify the minimum measures in an annex. In practice, this is often still the case in accordance with an earlier regulation of the German BDSG; however, the GDPR does not make this mandatory.
- Subcontractor:
- ADV should list all pre-approved subcontractors in an annex so that the controller remains specifically informed of any changes. In practice, this is often not done, at least not when all group companies of the processor are approved as subcontractors.
- In the case of new subcontractors, the responsible person must have a genuine choice, which requires, among other things, a reasonable period of time for his or her right of veto.
- The EDSA expressly welcomes the obligation of the processor to provide in subcontracts for direct claims of the controller against the subcontractor, which can take effect, for example, in the event of insolvency of the processor.
- The responsible party must have an audit right directly with the subcontractor.
- SupportThe ADV should specifically regulate the processor’s support obligations. For example, they should specify whether the processor only forwards data subject requests (and if so, with what deadline) or processes them according to the controller’s instructions, and whether or not it may interact directly with data subjects, etc.
- Concretization of processingAs is well known, the ADV must specify the processing by indicating the subject and duration and the nature and purpose of the processing, the type of personal data concerned and the categories of data subjects. According to the EDSA, this information must be provided “in the most detailed manner possible”, for each individual processing covered by the ADV.