Search

How can we help?

Icon

What a controller or a processor needs to know…in a nutshell

Data processing agreements (DPAs) are a common feature of contracts for the supply of services, for example often featuring as self-contained schedules to master services agreements (MSAs).

Why are they there?

If the services include, even incidentally, processing of personal data – and processing can include a multitude of operations such as collection, recording, organisation, structuring, storage, alteration, retrieval, erasure or destruction, and even transfer to third parties – then there is a legal requirement for the controller (the customer who, as controller, is the person who determines the purposes and means of personal data processing) to have a DPA in place with the processor (the service-provider).

What does the law require?

The UK GDPR (which is the UK version of the EU General Data Protection Regulation) requires processors’ activities to be governed by a contract (ie a DPA) and sets out (in Article 28) very specific obligations for processors, including:

  • to process personal data only on documented instructions from the controller, subject to certain very limited exceptions;
  • to impose confidentiality obligations on all processor personnel involved in processing;
  • to abide by the rules regarding appointment of sub-processors;
  • to implement measures to assist the controller in complying with data subjects’ rights;
  • to assist the controller in ensuring compliance with the data security requirements of the UK GDPR (Article 28 requires processors to take all measures required to comply with Article 32 of the UK GDPR which imposes specific data security requirements on controllers and processors – these may include pseudonymisation and encryption of personal data. DPAs will often have an annex setting out security measures specifically required by the controller);
  • at the controller’s choice, to return or destroy the personal data at the end of the contract relationship; and
  • to provide the controller with all information necessary for the controller to demonstrate compliance with the UK GDPR’s obligations relating to engaging processors.

Article 28 also provides that the DPA has to set out certain information, including the subject-matter, duration, nature and purpose of the processing, and the types of personal data processed and categories of data subjects. This information is often set out in an Annex to the DPA and, in the case of many services agreements, may well not change from the start of the contract.

Jon Chapman

Senior Consultant

View profile

+44 118 960 4683

One issue which often arises is limitation of liability for breach of a DPA (there is often indemnification of the controller by the processor for breach).

So if it is a largely standard document, do I need to spend any time reviewing it?

The answer is a very firm yes. Notwithstanding the fact that the DPA must contain prescribed clauses, factors such as the nature and sensitivity of the personal data involved and the nature of the services to be carried out by the service-provider mean that each DPA should be reviewed carefully and tailored as necessary to the particular circumstances of the contractual relationship which it underpins.

From a controller point of view, for example, it may be necessary to strengthen and add to the requirements set out in Article 28 given the above factors – for example, by including additional requirements for processor personnel, data security measures and audit rights.

For a processor, unless there is good reason for it, then the processor obligations in the DPA should be as closely aligned to those set out in Article 28 as possible and should not go materially beyond them.

One issue which often arises is limitation of liability for breach of a DPA (there is often indemnification of the controller by the processor for breach). Typically, the services agreement (eg MSA) in which the DPA is contained will have limitations on the liability of the service-provider in relation to breach. The financial consequences of breach of a DPA by a processor are potentially very significant for a controller – eg the cost of restoring lost data and large fines – so there will often be discussion in negotiations about a “super-limit” for DPA breaches. Whilst the customer will base their approach on the size of potential fines, the processor will be putting forward a risk-based argument based on the nature of the services and of the personal data involved to reduce that “super-limit” to something commercially realistic given the value of the contract (and the possibility of insuring all or part of the risk).

And what if there isn’t an adequate DPA in place?

Without a fit for purpose DPA in place in relation to which each party is fully aware of and compliant with its obligations, there is a material risk of enforcement action by the UK Information Commissioner’s Office and potential criminal liability for either or both of the controller and processor. So it’s definitely worth spending some time and effort on getting it right.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Jon Chapman

Senior Consultant

View profile

+44 118 960 4683

About this article

Read, listen and watch our latest insights

art
  • 24 January 2025
  • Privacy and Data Protection

UK Data Protection: A look back at 2024 and what to expect in 2025

On 15 January 2025, Louise Keenan and Shauna Jones hosted our webinar “UK Data Protection: what happened in 2024 and what’s in store for 2025.” Our webinar is available for you to watch, but in this article, we will provide a brief summary of what was discussed.

art
  • 20 January 2025
  • Employment

AI Opportunities Action Plan – The impact of AI on employment

The Government has announced its ‘AI Opportunities Action Plan’ in which it plans to increase the use of AI across the UK to ensure the UK is a world leader in the field. 

art
  • 16 January 2025
  • Corporate and M&A

Business Asset Disposal Relief: Changes to CGT Relief and the Consequences for Business Owners

Developing a robust cybersecurity strategy is essential to ensuring value retention, securing sensitive data, minimising risks and a seamless transfer during and after the merger or acquisition.

Pub
  • 10 January 2025
  • Privacy and Data Protection

UK Data Protection: What happened in 2024 and what’s in store in 2025?

It’s been a year of political change and uncertainty for data protection. Join our data protection webinar, where we will discuss the implications of the Data Protection and Digital Information Bill not passing and the upcoming Digital Information and Smart Data Bill from the King’s Speech, which will affect existing laws.

art
  • 06 January 2025
  • Privacy and Data Protection

WhatsApp in the Workplace

This article explores the potential risks of using WhatsApp for workplace communications, the implications for GDPR compliance and under UK legislation, and provides practical tips for employers to mitigate these risks.

art
  • 16 December 2024
  • Privacy and Data Protection

Recognising DSARs: top tips for organisations

The UK GDPR grants Data Subjects, who are the individuals to whom the personal data relates, rights over their personal data, including the rights of access, correction and erasure.