Key Message. A Data Processing Agreement (DPA) is a legal agreement for companies that have personal data processed by or for third parties. Concluding a DPA is one of the requirements under data protection law. With a structured approach and the use of a suitable template, the obligation can be fulfilled with a reasonable amount of effort.
In detail
What is a DPA?
An Data Processing Agreement, DPA for short, is a legally binding contractual agreement between a data controller and a data processor. The contract regulates the conditions under which personal data is transferred from a company (the client) to a service provider (the contractor) for processing and how the personal data is processed by the contractor.
According to the Swiss Data Protection Act (DPA) and the European General Data Protection Regulation (GDPR), this contract must contain certain elements, whereby the requirements of the GDPR are much more detailed than those in the DPA.
Who needs it?
Every company that has personal data processed by third parties requires a DPA. This applies, for example, to every company that uses external cloud storage space or SaaS solutions from third parties or outsources personnel administration and other processes in which personal data is processed. Nowadays, (almost) every company is obliged to conclude DPAs for certain areas.
Contractors who process data for their customers are also obliged under the GDPR to conclude the DPA. Under Swiss law, this obligation only applies to the data controller (i.e. the customer of a cloud solution, for example). In practice, however, providers are forced to conclude a DPA because their customers require it.
Most important use cases
Cloud storage space: Companies that use cloud services to store or process personal data must ensure that their cloud providers comply with data protection requirements. To this end, a DPA must be concluded between the customer and the cloud provider. Many cloud providers already offer the DPA in accordance with their standard customer contracts.
SaaS solutions: Providers of Software-as-a-Service (SaaS) solutions must also conclude a DPA if they process data on behalf of their customers.
External trustees: External trustees also process personal data and a DPA between the customer and the trustee is required.
What is the quickest way to create the contract?
A DPA can be created quickly and efficiently if the following steps are followed:
A. As a provider, i.e. data processor:
- Data Map: Create an overview of how data is processed for customers. Especially the following points are essential: Location of data storage, involvement of third-party providers in data processing.
- Use templates: Start with a template that already meets the legal requirements and is provider-friendly. The design can vary greatly depending on whether your company is a data controller or processor.
- Customization to specific needs: Customize the template to the specific circumstances of the company.
- Communication with customers: Experience shows that customers are usually happy when processors offer a fair contract.
B. As a customer, i.e. as a data controller:
- Data Map: Create an overview of which third-party providers process which personal data for your company.
- Communication with the providers: Contact the providers with your request to conclude a DPA. Some will have their own template (some can even be concluded directly online), others will not want to know anything about the topic. Explain that you want to comply with the legal obligations and therefore want to address the issue.
- Use templates: If a provider does not have its own template, start with a template that already meets the legal requirements and is customer-friendly. The design can vary greatly depending on whether your company is a data controller or processor.
- Customization to specific needs: Adapt the template and in particular the provider's template (if possible) to the specific circumstances of your company and in particular the type of data, purpose of processing, etc. Pay particular attention to the topics of storage location and use of subcontractors.
Addition for software companies: Benefits as an element of trust
By implementing a well-structured, legally correct and fair DPA, your software company can not only fulfill the legal requirements, but also strengthen the trust of customers and partners. It shows that the company takes data protection seriously and is willing to invest in the necessary legal and organizational measures to ensure the integrity and security of personal data.
If you would like Lex Futura to assist you with the above steps, you can find our fixed-price product here .