We all heard several times about GDPR and its implications on our daily business. Sometimes this abbreviation drives us crazy because it brings us more issues than solutions. But it is not always so bad…
Among other things, GDPR brought to our attention so called data processing agreements, or, as they are known in our organization, commissioned data processing agreements (abbreviation “CDPA”). CDPA is here with us for quite a long time, but only after GDPR many people start to focus more on it. CDPA is an agreement between two parties – controller and processor – in which they agree on the details about processing of personal data by processor for controller.
Usually, the controller orders from the processor some business-related services and these require processing of personal data. You can find this set-up when supplier ensures for you IT maintenance services, provides you with HR attendance system, or supports you with CCTV/GPS monitoring. In all these situations, the supplier will have access to and will further process personal data of certain individuals (employees, customers), which are known in our terminology as data subjects. To allow the supplier - processor to process such data, the CDPA is needed. In fact, CDPA is a contract containing information about data processing for concrete purpose, which relates to the service provided by processor.
So far, it sounds easy and everything is clear. Then, where is the problem? Well, where to start… Life is usually not so straight forward as described here. There are many variations in our relations with suppliers, which affect whether CDPA is needed or not. Sometimes we and our suppliers can be two independent controllers using personal data for their own business purposes (applies e.g. for tax or legal services). In other case, we may establish joint controllership with the supplier (applies for services from recruitment agencies, etc.). To make it even more complicated, there is a possibility that for some part of service and of data processing our supplier is the processor and we are the controller, while for the other part our positions are changed and the supplier will be the independent controller. And such situation relates to the same service ordered from one supplier! You want to see such an example? Take Slack…
And there are even more options to explore. Each of them triggers detailed assessment resulting (or not) into conclusion of CDPA. Then, what is the factor determining whether we need CDPA or not? Answer is simple. It is controller-processor relationship. If it is in place, then the parties must conclude CDPA. How can you actually distinguish if someone is controller or processor? It all derives from the magical word “purpose”, under which two questions are hidden. What is the purpose of data processing (why data needs to be processed) and who is defining this purpose (who is saying, why data should be processed)? Purpose definition is an exclusive competence of the controller. Only controller can say, why processor can process certain personal data. If you can dictate the other party why it should process the data, then you are a controller (you bear all liability for data processing) and the other party is processor.
Obviously, there are other aspects of data processing that should be taken into account. For example, scope of data and affected data subjects, method of processing and processing operations, applicable security measures… But these circumstances are less relevant, when it comes to defining role of controller and processor. Anyway, they are important to the CDPA itself. These details should be included in the CDPA, to reflect how personal data is going to be processed.
As you can see, it may be very challenging to understand who is doing what and how, when it comes to data processing. Sometimes even privacy team gets confused. Thus, it is important for us to find out all relevant information about cooperation and data processing activities at the earliest possible stage. The first step will always be to correctly determine the position of the parties. If they are in controller-processor relationship, then the CDPA is needed. In fact, it is MUST CONDITION before any processing activity starts. When preparing CDPA itself, other aspects of data processing should be known. Preparation of CDPA is not always easy and may be time-consuming, yet, it depends only on the knowledge and understanding of data processing activities performed by concrete supplier.