As tech is evolving, companies are getting better at mining and refining data. So, as they are churning out cream out of the heaps of data, the data gets shared over the board within the company and third companies, and with government bodies or finance institutions. This becomes imperative as soon as possible when it is not done with the cover of DPA (Data Processing Agreement)
Countries, part of the European Union are legally bound to have a DPA, to put securities checks at multilevel. So, let’s start unraveling the DPAand hoopla behind it.
What is a Data Processing Agreement (DPA)?
DPA is an agreement between the parties sharing data among themselves. These parties include different kinds of data controller, data processor, and data provider.
Data Processing agreement has a complete cycle from data mining to data processing. It also defines the way data is to be processed and who will process, where data is going will be stored, who will be incharge of the data in various phases of processing,who will be in charge to delete the data stored,and who is going to get processed data.
Article 28 of the EU makes it mandatory for the companies who store the personal data of the citizens of EU countries.
Essential clauses in a Data Processing Agreement (DPA)
A.Definitions
It is a very essential clause of this agreement. As a lot of terms are not known to the parties.All the words that you need think will need defining, define them under this agreement. Do it alphabetically.
B. Data Subject
When there’s a piece of information that can identify a person, that information is called a data subject. That data subject can be location number, online sign-in ID, email address, image, interests, and many other directly attached and detached identifying elements.
C. Data Breach
To access unauthorized data is covered in this clause. It prohibits all the signatory to access or use the data in any manner not allowed in this agreement or other agreements or sell the data to any third party or to alter the data in any manner.
D. Applicability
Parties must pick one rule to process the data and follow that governing instrument through the commencement to the termination of the DPA.
E. Effective Date and termination date
The date from which the DPA will come into force is required to be mentioned for the sake of clarity.
Alo the date of termination as per the data processing cycle needs to be mentioned.As, that will cease the right of a lot of parties to access the data and to use the data in any manner.
F. Roles and responsibilities of a controller
The party to the DPA, that gets access to the data, defines the legal terms to store the data, obtains the consent of the data subject to alter/refine/store/evaluate/market/sell is the Data Controller
The Data Controller has access to the data all the time. It also foresees the process that is being used to process the data. Data controller is obliged with the duty to keep the data safe.
G. Roles and responsibilities of a processor
The entity that processes the data as per the terms and regulations selected by the Data Controller, is called Data Processor.
Processors have the access to the data so they are made to sign the Non-Disclosure Agreement. Apart from that they have to process the data under the MSA regulations to keep the data processing process intact. But, in case a breach happens, the processor is required to inform the controller within 48 hrs. This addendum is written in GDPR(Art32)
H. Subprocessing
After receiving a green signal from the Data Controller, the Data Processor can hire the Sub Processors.The list of sub processors is required to be provided in the DPA. can only be hired by a processor based on the notification and approval given by the Controller. We need to mention the list of sub processors, if any. In case of any objection, the controller has to object within agreed timelines..
I. Data transfers
When and how regarding the data transfer is required to be mentioned in this clause. This clause makes the path of data processing clear for each entity involved.
J. Deletion and return of data
As per the guidelines laid under the Master Services Agreement dated January 25, 2022; Data controller is mandated to delete and return the data as asked by the subject data.
K. Audits
This clause is included in DPA to put a cross check on the data protection in terms of financial
Parting Words:
Data comes with sanctity, as people share their data with companies with trust that it will not be collected for social engineering, but for the betterment of products and services.
DPA takes care of the bestowed trust in the companies of their users.DPA makes sure that all the parties do not cheat the data sanctity.
Data subjects are also given rights to alter the data, choose whether they want their data to be saved or not saved, get the copy of your data saved with the company. Judicial remedies are also allowed for material as well as non-material damages
Download the DPA from here: https://legal.hubspot.com/dpa
Hozzászólások