Features of Concluding a Personal Data Processing Agreement — A Column by REVERA

Julia Burmistrova and Ekaterina Yakoltsevich

The most common instances where gaming companies need to enter into a DPA are when they outsource processes involving personal data processing. For example, when they:

• engage external developers who have access to users' personal data;
• employ advertising companies to display ads within an app;
• hire companies to send marketing emails to users (such as updates on new content or company news);
• entrust the processing of personal data to a third-party company on their behalf.

Based on the above, it is easy to conclude that almost every company (hereafter referred to as "controller") engages third parties in some capacity (hereafter referred to as "processors") to conduct business and optimize specific processes, involving the processing of personal data on behalf of and according to the controller’s instruction.

Despite how common this practice is, companies often face questions regarding the terms that sufficiently meet GDPR requirements, the form the agreement should take, and other related issues when drafting the text of a DPA.

Below is some text that may simplify working on creating a DPA.

Why Enter into a DPA?

In addition to a DPA being a direct legal requirement in several jurisdictions, there are other reasons for its necessity.

The controller organizes the personal data processing criteria, meaning the controller is responsible for its operation, confidentiality, and potential incidents involving data breaches.

This is precisely why, when involving processors in personal data processing, the controller must ensure that they provide adequate guarantees of executing technical and organizational measures.

Thus, it is in the controller's best interest to enter into a DPA to regulate data processing types, what the processor can do, what data the processor receives, and what mandatory data protection measures it must take. By doing so, the controller primarily protects itself, because if the processor violates personal data processing requirements resulting in a data breach of the subjects' personal data, the controller will also bear responsibility before them.

What Are the Consequences of Not Having or Incorrectly Drafting a DPA?

The absence of a DPA is a violation of GDPR requirements. Once identified, supervisory bodies may apply various corrective measures.

The full list of corrective actions is outlined in Article 58 of the GDPR. Among them are issuing warnings for violations, requiring data processing operations to conform to personal data protection standards, and imposing administrative fines — which can be significant for companies as the fines can be quite substantial.

According to the GDPR, for the absence of a DPA, a company could face an administrative fine of up to 10 million euros or up to 2% of the total worldwide annual turnover of the preceding fiscal year (whichever is higher).

Here are several cases and figures:

• Lazio Region engaged contractors for call center operations without a DPA. The Italian supervisory authority fined Lazio Region 75,000 euros for this violation.
• Dedalus Biologie SAS, software provider for medical analysis labs, was fined 1.5 million euros for various infringements including (1) acting beyond controller instructions (collecting excessive personal data), (2) lacking all necessary technical and organizational protection measures (such as data encryption), and (3) their contractual documentation with clients missing mandatory clauses.
• Isweb S.p.A., an IT company and provider of whistleblowing management systems, was fined 40,000 euros for not regulating its relationship with a hosting provider tasked with data processing.

In What Form Should a DPA Be Concluded?

Depending on how the relationship between the controller and processor is structured, and whether the parameters (purpose, terms, data list, and other obligations) of personal data processing differ, the form of the DPA can vary. Two main forms for the conclusion of a DPA are commonly used:

• (1) Written – used when data processing by the processor includes any specific features.

For instance, a company developing and publishing mobile apps engages one contractor for customer support and another for targeted advertising. Data processing arrangements differ for each contractor, as fundamental data processing criteria will vary based on the services provided. In this case, it makes sense to conclude a DPA in written form with each specific processor.

• (2) Public Offer – used when personal data processing parameters are identical.

This option is practical when a company provides the same services to all counterparties. The data processing order does not change with the signing of a new contract; hence, signing a separate DPA with each counterparty is impractical. Subsequently, a company can develop and post a general DPA template on its website, which will apply to all counterparties using their services.

Minimum Conditions That Must Be Included in a DPA

The legislation does not provide a comprehensive list of conditions to be included in a DPA. Therefore, the parties have a degree of flexibility when deciding on the terms. However, the GDPR does outline a minimum list of conditions and responsibilities that must be outlined in a DPA (Article 28 GDPR).

Below is a checklist of basic conditions to include in a DPA.

1. DPA must include a description of the following processing details:

• the subject and duration of the processing;
• the nature and purpose of the processing;
• type of personal data;
• categories of data subjects;
• rights and obligations of the controller.

2. DPA must specify the processor's obligations:

• Process personal data only based on the controller’s written instructions;

The controller's instructions can be formalized through various means: email, CRM systems, or within the DPA text. The DPA must make it clear that it is the controller, not the processor, that dictates how personal data is processed.

If the processor exceeds those instructions, it will be considered a controller with respect to that processing and will be liable to the subject as a controller.

One common example where the processor exceeds the controller’s instructions is processing personal data after the controller-set deadline expires. Upon expiration, the processor must determine the legality of further processing, set the processing parameters, justify the legal basis, etc.

• Ensure persons authorized to process personal data are bound by confidentiality obligations;

This obligation must extend to the processor’s employees and other persons who have access to the controller's personal data.

The confidentiality provision may stem from contractual obligations with employees (contractors), or by virtue of legal requirements.

• Provide adequate information security, technical, and organizational measures to protect personal data;

Such measures include encryption, pseudonymization; the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services, among others. A complete list is outlined in Article 32 of the GDPR.

• Comply with the conditions for engaging sub-processors;

The GDPR allows processors to engage other entities ("sub-processors") for personal data processing tasks. For example, for application marketing promotions (ad campaigns and marketing emails to users), a company (controller) enlists an advertising firm, transferring user data to them (processor); this advertising firm, in turn, may involve another company for marketing emails, which then acts as a sub-processor under the GDPR definition.

For engaging sub-processors, the following conditions must be included and observed in the DPA:

• • Engagement of the sub-processor only with the controller’s consent or notification;
  • If the sub-processor is engaged based on notification, the controller must have legal mechanisms to object to engaging any particular sub-processor;
  • A DPA must be concluded between the processor and the sub-processor, imposing similar data protection obligations on the sub-processor as those on the processor;
  • The processor is responsible to the controller for the sub-processor’s compliance with data protection obligations.

• Assist the controller in fulfilling data subject rights;

The DPA should include the procedure for interaction between the controller and processor while handling data subjects' applications to exercise their GDPR-provided rights. For example, the DPA might state that the processor cannot respond to data subject requests and may include an obligation for the processor to implement technical and organizational measures to help the controller respond to data subject requests.

• Assist the controller in fulfilling obligations specified in Articles 32-36 of the GDPR;

The GDPR imposes several obligations on the controller regarding personal data protection (e.g., notifying data subjects and regulatory authorities of data breaches, conducting Data Protection Impact Assessments (DPIA), etc.). The DPA must clearly state how the processor should assist the controller in fulfilling these obligations.

• Cease processing personal data upon completion of processing;

The DPA must include a condition that requires the processor to delete or return all personal data to the controller after the processing term concludes and to delete existing copies.

• Provide the controller the opportunity to audit compliance with GDPR and DPA conditions.

A DPA must contain the following processor obligations:

• • The obligation to provide the controller with all necessary information to demonstrate compliance with the obligations outlined in Article 28 of the GDPR;
  • And the obligation to allow and facilitate audits and inspections conducted by the controller or an auditor appointed by the controller.

***

The DPA is a crucial document for establishing the framework of relationships between controllers and processors. Therefore, due attention should be given to drafting it.