9 January 2023

Data Processing Agreements, when are they necessary?

Data Protection Laws such as the Protection of Personal Information Act (“POPI”) in South Africa or the European Union’s General Data Protection Regulation (“GDPR”) prescribe certain duties that parties who process data must fulfil to ensure their data processing is lawful. However, responsible parties or data controllers may have further requirements that they would like to impose on parties who process data on their behalf (“processors” or “operators”).

Data Processing Agreements (“DPA”) are therefore used to further regulate the relationship between two or more parties in respect of the personal data that they process in addition to an underlying agreement between them.

Who Are the Parties Involved?

A DPA is typically between two or more parties. A responsible party or data controller and a processor or operator. A DPA may also include a sub-processor depending on the nature of the relationship or the type of processing that the operator will be doing.

When is a DPA Necessary?

A DPA is normally only necessary when a data controller has specific processing requirements over and above that of POPI and/or the GDPR. Data controllers who process large volumes of personal information or very sensitive information may impose extra security and technical requirements on processors or outline the manner of processing in more detail.

A DPA may also be necessary where the contract that forms the basis of the relationship between a controller and processor, for example a service level agreement, does not have any data processing clauses contained within it. The DPA then ensures that all data processing is done lawfully and there are appropriate warranties between the parties to protect them.

Reason That A DPA is Important

DPA’s regulate the relationship between a controller and a processor. As mentioned above, a DPA contains data processing clauses above what may be contained in the founding contract or may form the basis of the processing relationship.

DPA’s offer controllers the opportunity to outline and prescribe the way a processor must process information for the controller. The controller has the opportunity to list the exact technical and organisational measures which the processor must have in place. A controller may include the right to conduct data audits into the processor’s systems to ensure the required technical and organisational measures are implemented. Unless unlawful, there is no limit to the structure and length of a DPA. Controllers and processors are thus free to outline as many aspects of their processing relationship as they feel necessary.

DPA’s offer warranties. Warranties are very important contractual clauses; they are legally binding commitments or statements of fact. Where a warranty is found to be untrue or violated the other party is afforded the opportunity to claim damages. DPA’s contain warranties from both controllers and processors. For controllers, it is very important to have warranties from a processor for many aspects including:

  • that their processing will be done in accordance with data protection laws and the DPA to ensure that liability for a data breach of the processor’s systems is mitigated as far as possible;
  • that they have the appropriate technical and organisational measures in place; and/or
  • that they will not misuse the personal data shared with them and that all data will be erased once the agreement is terminated.

For processors, a warranty from the controller is important to ensure that the data they are being provided with to process is done so lawfully and with the consent of the data subject.

DPA’s may therefore not always be necessary to lawfully regulate the relationship between a controller and a processor. Parties should consider whether the processing relationship will be more complex or require additional regulating before deciding to jump into a DPA.

– Lauren van der Byl