Data Processing Agreement (Drafting)

The GDPR (General Data Protection Regulation) requires data controllers to take measures in order to ensure the protection of personal data they handle. If data controllers decide to outsource certain data processing activities, they must be able to demonstrate that their suppliers or other processors also provide sufficient guarantee to protect the data.They too have to beGDPR compliant. One important element of the legislation is the requirement for data controllers to enter into a data processing agreement (DPA) with data processors.

A data processing agreement (DPA) is a legally binding document to be entered into between the controller and the processor in writing or in electronic form. It regulates the particularities of data processing such as its scope and purpose, as well as,the relationship between the controller and the processor. If you are a controller and, as a result of outsourcing, you wish to transfer your data to a third-party, for example a cloud provider, you need to sign a DPA with that third party. The GDPR regulates data processing in a broad manner. It says that any operation performed on personal data amounts to processing. For example, the acts of collecting, storing, disclosing or erasing personal data are all considered processing and fall under the GDPR.

 

Features of Data Processing Agreement:

1.Processing only on the documented instructions of the controller.

2.Duty of confidence.

3.Appropriate security measures.

4.Using sub-processors.

5.Data subjects’ rights.

6.Assisting the controller.

7.End-of-contract provisions.

8.Audits and inspections.

Article 28(3) states that the contract (or other legal act) must include the following details about the processing:

1.the subject matter and duration of the processing;

2.the nature and purpose of the processing;

3.the type of personal data and categories of data subject; and

4.the controller’s obligations and rights.

The controller therefore needs to be very clear from the outset about the extent of the processing it is contracting out.

Documents


Passport Photo

Passport photo of all parties.


PAN Card

PAN card of all parties.


Aadhar Card

Aadhar card of all parties.


Utility Bill

Utility bill of Electricity or Telephone.


Address Proof

Valid Address Proof of all the parties.


Licence

Valid Driving Licence of all the parties.


Terms and Conditions

Terms and Conditions between the parties.


Other Documents

Other documents will be intimated through e-mail.

FAQ

A data processing agreement (DPA) is a legally binding document to be entered into between the controller and the processor in writing or in electronic form. It regulates the particularities of data processing such as its scope and purpose, as well as, the relationship between the controller and the processor.

Subject matter and duration of the processing;the nature and purpose of the processing, the type of personal data and categories of data subject, and the controller's obligations and rights.

If your organization is subject to the GDPR, you must have a written data processing agreement in place with all your data processors. Yes, a data processing agreement is more annoying paperwork. But it's also one of the most basic steps of GDPR compliance and necessary to avoid GDPR fines.

Data Processing Agreements (DPAs) establish roles and responsibilities for controllers, processors, and sub-processors, and create liability limitations. Essentially, a DPA is a form of assurance that the processor or sub-processor performs their due diligence to ensure the privacy of personal data.

This Data Processing Policy sets out the basis on which any data we collect from or on behalf of you, or that you provide to us, will be processed by us.

A data-sharing agreement is a formal contract that clearly documents what data are being shared and how the data can be used. It also prevents miscommunication on the part of the provider of the data and the agency receiving the data by making certain that any questions about data use are discussed.

The processor or data processor is a person or organization who deals with personal data as instructed by a controller for specific purposes and services offered to the controller that involve personal data processing (remembering that processing can be really many things under the GDPR)