Most organizations, be it businesses, associations, corporations, or institutions, cannot handle all their processing of personal data fully in-house. Even seemingly trivial tasks like simply storing their data or hosting their website, are outsourced to specialized third parties and often take place in the cloud. Those third parties thus process personal data on another organization's behalf, they are "Processors" in GDPR-terminology, while the outsourcing party is called the "Controller" as, at least in theory, it controls what the processor is doing.
To exercise such control, both parties need to be bound by a Data Processing Agreement (short: DPA) stipulating the details of the processing and the respective rights and obligations. The details such DPA and its minimum contents are set forth in Art. 23 Sec. 3 GDPR.
The core contents of a Data Processing Agreement are:
- processor must process personal data only on documented instructions from Controller or if required by applicable law;
- all persons authorized to process the personal data on Processor's side must have committed to confidentiality or be subject to a statutory obligation to that end;
- any subcontracting of data processing must be subject to Controller's approval;
- appropriate technical and organizational measures (short: TOM) must be implemented to protect the data;
- obligation of the Processor to support Controller in all their obligations under the GDPR, but in particular regarding the data subjects' rights;
- right to audit the data processing.
One important thing to note is that data protection must not just happen on paper but in reality. It is therefore important to not just sign a DPA but rather execute it like any other important business agreement.