Do you remember Room 101? It was BBC television show that ran from 1994 to 2018 in which celebrities nominated three of their pet hates to be consigned to Room 101 (i.e., the torture room in Nineteen Eighty-Four) and was hosted by a series of increasingly insufferable 'comedians': Nick Hancock, Paul Merton and Frank Skinner.
I don’t recall any in-house lawyers taking part – but I’d bet that a common gripe would be the negotiation of the data processing agreements that regularly cross their desks. DPAs serve an important purpose. They set out the obligations and rights of parties that process personal data, and help to focus their minds on the expectations for the future relationship. A little bit like a pre-nup: the final hurdle before a long and happy life together (that’s how it was sold to me, at least.)
What can make DPA negotiations painful – although, for data protection tragics, also interesting – is that whilst Article 28 of the GDPR sets out the basic requirements to be included in the contract, that’s only the baseline. Much of the work involves negotiating within those requirements, as well as the commercials on which Article 28 is silent. Needless to say, no two companies take the same approach to these negotiations – making life time-consuming, and often frustrating, for in-house lawyers when getting DPAs over the line.
The EDPB’s recently released guidance on controllers and processors provides useful guidance for counsel at both types of organisation. In addition to guidance on the allocation of those roles (still an often misunderstood aspect of GDPR compliance), this post focuses on the EDPB’s insights into the Article 28 contracting process. I found the following nuggets helpful – and hopefully you might too:
- The guarantees by the processor to implement appropriate technical and organisational measures are only those that it can demonstrate to the satisfaction of the controller. The EDPB refers to the provision of documentation including records of processing activities and reports of external data protection audits. Controllers: do you request this information from each processor? All the time? Sometimes? Never?
- The controller and processor are both responsible for ensuring that a DPA is in place. Processors (particularly those based outside Europe): have you been keeping schtum if your EU or UK controller clients don’t raise the issue?
- The relationship between controllers and processors leaves room for negotiation. Where one party is in a weaker commercial position, the EDPB suggests that the EU Commission’s new SCCs containing Article 28 terms may be used to rebalance the negotiating position.
- The DPA should not simply restate the provisions of the GDPR, but must include specific information about how the processing will be conducted. We’ve all seen DPAs that are entirely disproportionate to the risks of processing – and the EDPB warns against boiling the ocean for low-risk processing activities. If anything, that’s only going to increase the likelihood of protracted negotiations, which isn’t in anyone’s interest.
- It may be appropriate for the parties to specify the timeframe in which the processor must notify the controller of personal data breaches. Disagreements over the timing of notifications are commonplace, so there’s something to be said for setting this out upfront. Controllers will no doubt welcome this recommendation; processors perhaps less so.
- Notably, the EDPB discusses costs – again, a common point of negotiation – only in relation to audits, cautioning against imposing disproportionate or excessive costs that have a dissuasive effect on the parties. Whilst guidance on the wider issue of costs would have been helpful, this is always likely to remain an issue for the parties.
There’s lots more in the guidance besides, so it’s well worth digging into the document if you have a spare moment (what’s a spare moment, you say?). Or maybe you send the guidance, and all past, future and current DPAs, directly to Room 101. I’m not going to do that, as I need room for personalised licence plates, slow walkers and Frank Skinner.
The GDPR lists the elements that have to be set out in the processing agreement. The processing agreement should not, however, merely restate the provisions of the GDPR; rather, it should include more specific, concrete information as to how the requirements will be met and which level of security is required for the personal data processing that is the object of the processing agreement.