DPA or no DPA? 5 cases that DO NOT require a data processing agreement
2019-02-12 - Handling sensitive, personal data can be a delicate matter. The GDPR defines the areas of responsibility regarding technical and organizational questions more or less clearly. There are several regulations concerning data processing agreements. Those regulations, however, are framed in a theoretical context. Their practical application can leave certain aspects unclear. Have you ever asked yourself whether your work case requires a DPA or not?
We present you with five cases that do not require a DPA even though it may seem like it at first glance.
What is a DPA covering?
It is imperative that the contract is concluded prior to the processing. The following work fields do generally require a DPA:
- Technical data processing services for payroll accounting or financial accounting.
Case example: Your company outsources (part of) financial accounting. The service provider gains access to your customers’ personal data. - Advertising directory processing
Case example: A service provider handles an advertising campaign for you. In the course of the project, they get access to some of your customers’ personal data, e.g. postal addresses or e-mail addresses. - Outsourcing of e-mail management
Case example: Your company opts for the external management of e-mails. This includes the responsibility for user requests or contact forms. Personal data is transmitted via e-mail, making it accessible for the service provider. - Data collection, microfilming or data conversion
Case example: Your company digitalizes its archives. For lack of internal capacities, you commission an external service provider. Even though the data handled might not be up-to-date, a DPA is essential to protect you from legal issues. - Backup storage
Case example: In order to avoid loss of data, you commission a service provider with the backup storage of your data. Since the service provider has access to the data stored, a DPA must be signed. Of course, this also applies to cloud-based backup storage. - Data carrier disposal
Case example: You want to dispose of old hardware. As the disposal company can theoretically access data saved to the components, a DPA is crucial for compliance with the data protection regulation.
Generally, you need a DPA whenever you rely on the qualifications and resources of third-party expertise to carry out your data processing.
For comprehensive protection, the GDPR clearly defines the mandatory information for any DPA. Numerous aspects have to be covered. From the type, duration and purposes of the processing to the scope of instructions needed to the control rights and duties of those responsible.
Data processing, or no data processing – that is the question
There is a basic distinction between a job processing agreement and the use of third-party professional service. The latter makes a DPA obsolete since, in this case, other regulations are effective. The following five cases do not require a DPA as data protection compliance is granted even without an additional agreement.
1. Professional groups bound to confidentiality do not need to sign a DPA
Cooperation with professional groups that are bound by the confidentiality principle does not require a DPA. Even though the service provider may have access to personal data, the confidentiality agreements already in place make the DPA redundant.
Professions that handle confidential information include tax consultants, lawyers or auditors, who deal with personal data in the context of their independent work. Furthermore, services by external company doctors are one of those third-party professional services that do not call for a DPA as they are carried out by persons of discrete responsibility.
2. Debt collection agencies with assignments of debt are not affected by the DPA regulation
When debt collection agencies process an assignment of debt in order to collect owing debts, processing data is inevitable. The debtor’s data and the amount of debt are transmitted to the collection agency. The agency, however, does not collect the debt on behalf of the original creditor, but works in its own interest. As a result, signing a DPA is not necessary.
3. Providers of matching services do not need a DPA
Operators of portals that aim at connecting actors of supply and demand do not need a DPA. Even though personal data is exchanged, drawing up a DPA is not required in this case since the portal users explicitly task the portal operator and their professional services. Therefore, portal operators do not need additional protection. The same holds true for recruiters who forward personal data to the respective companies.
4. Clinical studies do not require a DPA
Another scenario that entails exemption from data processing agreements is large-scale clinical drug studies organized and conducted by several contributors. In this case, various actors have access to the collected data, which can be used for several different purposes. This means that, for instance, sponsors, study centers and doctors decide on the processing of the collected data in their respective subfield.
5. No DPAs within large groups of companies
In large groups of companies, joint management of master data or of certain data categories includes operationally relevant objects such as products, suppliers, customers and staff. When this data is being employed by multiple companies of a group for the parallel realization of business purposes, a DPA is not mandatory.
DPA management with the IITR Compliance Kit
Managing data processing agreements is a highly complex endeavor that can get confusing easily, if approached manually. Using the IITR Compliance Kit helps you counter this problem. The tool provides you with contract templates that are legally watertight.
In addition, you can centrally store the DPAs that you make with various service providers. On the one hand, this procedure helps you to keep an overview. On the other hand, you are optimally prepared should you face examination by the authorities.