The EU’s general data protection law (GDPR), which went into effect last week, drew a lot of attention. Practically any firm that processes EU citizens’ personal data is affected, and must take major organizational and technical efforts to comply with the new laws. The necessity for data controllers to enter into a data processing agreement (DPA) with data processors is an important part of the legislation.
Last Wednesday, we held a webinar about the specifics of a data processing agreement and how to sign one with Ordema to help you prepare for the GDPR. We hope to explain the most significant aspects of our webinar in this blogpost so that you get a complete picture of everything you need to know about a DPA.
What exactly is a DPA?
A data processing agreement (DPA) is a legally enforceable document that must be signed in writing or electronically by the controller and the processor. It governs the specifics of data processing, such as the scope and purpose of the processing, as well as the controller-processor relationship.
What is the significance of a DPA?
The GDPR mandates that data controllers take steps to protect the personal data they handle. If data controllers choose to outsource certain data processing operations, they must be able to show that their suppliers and sub-processors are also capable of protecting the data and acting in a GDPR-compliant manner.
When is it necessary to sign a DPA?
If you are a controller and wish to transmit your data to a third-party as a result of outsourcing, such as a cloud provider, you must first sign a DPA with that third-party.
Is it necessary for processors to sign a DPA with their sub-processors?
Yes, even if you are a processor rather than a controller, if you opt to outsource your activities, you must sign a DPA and guarantee that any other sub-processor in the chain follows the GDPR’s criteria.
What is the definition of data processing?
The GDPR governs the processing of personal data in a broad sense. It states that any operation on personal data is a procedure of processing. Collecting, storing, revealing, and wiping personal data, for example, are all considered processing and fall under the GDPR.
What is the role of a data controller?
The person who sets the purpose and methodology of data processing is the one that that controls data.
What exactly is a data processor?
The person who, on behalf of a controller, processes data according to the controller’s instructions.
When it comes to signing a DPA, there are a few things to keep in mind.
One of the most crucial aspects of a DPA is whether your processors provide adequate guarantees for the security of the data they receive. Under the GDPR, even if a data breach occurs on the processor’s end, you, as the controller, are liable. As a result, it’s critical to select processors that take adequate steps to reduce the danger of a data breach. Furthermore, processors must take reasonable steps to mitigate the impact of a data breach and promptly notify you.
Data processors should not be able to use your data for anything other than the DPA’s and outsourcing’s stated purposes. As a result, you should check how the processor will use the data you provide to it. Whether it will be in compliance with your contract, or whether they will use it for its own objectives. As a result. You must ensure that the scope of the processor’s DPA does not extend beyond the original legal basis for processing personal data.
What types of personal data does Ordema handle for you?
We can’t access our users’ encrypted stuff, and we can’t utilize encrypted information to identify anyone. That happens because of our client-side encryption. As a result, such content does not fall under the personal data bracket from the GDPR from our standpoint. However, when delivering our services, we process non-encrypted data. Such as personal information about our users that is under control by our users. We act as a data processor while dealing with such limited data. Our DPA only applies to the extremely limited personal data we have on our clients. While the data in their files is not covered by the DPA.
With Ordema, who should execute a DPA?
If you have a business subscription with us and the GDPR applies to you, you must implement our DPA. The latter question must be answered on a case-by-case basis, with the assistance of legal advice. If you own a company and use Tresoirt for commercial reasons, and you, your partners, or staff are based in the EU, you are almost certainly liable to the GDPR.
How do you carry out a DPA with Ordema?
To view billing details and begin the DPA-signing process, you must be a Subscription Owner. This manual will take you through each step of the procedure.