Characteristics of Data Processing Agreements
Unlike General Data Protection Regulation (EU) 2016/679 (“GDPR”), Turkish Personal Data Protection Law no. 6698 (“KVKK”) does not stipulate DPAs. Nevertheless, KVKK does not require execution of DPAs, provided that GDPR has extraterritorial jurisdiction and Turkish Data Protection Authority has been adapting its own rules and procedures in parallel with GDPR, we examined DPAs under the light of the opinion published by European Data Protection Board (“EDPB”) to address key points both for Turkish and foreign companies which may need to comply with GDPR’s DPA requirements.
Recently, the Danish Data Protection Agency (“Datatilsynet”) submitted its standard contractual clause (“Draft DPA”) to the EDPB requesting an opinion to ensure its compliance with GDPR’s relevant provisions. Upon the request, the EDPB released the opinion numbered 14/2019 regarding its guidelines and comments on the Draft DPA on July 9, 2019. We summarized GDPR’s mandatory provisions regarding DPAs and the EDPB’s comments on the Draft DPA below.
DPA Provisions under GDPR
In the context of the relationship between a data controller and a data processor for the processing of personal data, GDPR provides, in its Article 28, a set of provisions with respect to DPAs between the parties involved and mandatory terms or clauses that should be incorporated therein.
Pursuant to Article 28(3) of GDPR the purpose, nature of processing activities carried on behalf of the data controller, as well as the type of data processed, categories of the data subjects and the duration of the processing must be described in detail in DPAs. Additionally, such DPAs must include some specific requirements and obligations for data processors regarding authorized persons, audits, cooperation with the data controller pursuant to Article 28(3).
GDPR Compliant Terminology
The EDPB highlights many times in its opinion on the Draft DPA that, the same wording as in GDPR should be used in DPAs and same terminology should be used consistently in the full text to avoid any kind of confusion. The EDPB also recommends in its opinion that, references should be made to the relevant parts of GDPR but especially to Article 28(3) to constitute the clarity.
Role of the Data Processor Regarding Data Subject’s Requests
Furthermore, EDPB states that certain steps for the data processor to follow where a data subject’s request is received must be pointed in DPAs. These steps may change due to the nature of data processing or intentions of the parties. While in some cases only technical support of the data processor is enough to fulfill requests of data subjects, in other cases data controllers may prefer data processors to directly respond to these requests based on data controllers’ instructions. Regardless of which type of support is required, the role of the data processor regarding data subject’s requests has to be precisely stated by providing specific time period to inform the data controller or directly respond to such requests in DPAs.
Unlawful Instructions of the Data Controller
In the Draft DPA it is stipulated that data processor must inform data controller in case of any unlawful instruction. However, as per the recommendation of the EDPB, informing obligation and consequences of unlawful instructions and possible solutions of such consequences should be stipulated in DPAs. The EDPB also highlights that even though additional instructions can be made throughout the duration of contractual relationship, such instructions shall always be documented.
The Authorized Persons
To ensure personal data is shared with relevant parties on “need-to-know” basis, only specifically designated persons should be authorized to process personal data. Therefore, the EDPB also underlines the necessity to keep the status of authorized persons under review and also the need of clarification on the matter that who is giving the authorization to such persons. Furthermore, these authorized persons do not have to be employed directly by the data processor during all data processing process. Therefore, the EDPB underlines that under the terms of DPAs the data processor must grant access to persons for the purpose processing the personal data under its authority on behalf of the data controller only on a need to know basis.
The Data Controller Proved Sub-processing
Sub-processors are one of the essential elements of data processing patterns and DPAs. According to Article 28(2) of GDPR, a data processor shall not engage another processor without prior specific or general written authorization of the data controller. In the case of general written authorization of the data controller, the data processor shall inform the data controller of any intended changes concerning the addition or replacement of other processors, thereby giving the data controller the opportunity to object to such changes. Pursuant to GDPR, the EDPB underlines the importance of such provisions regarding sub-processing and recommends that DPAs should include a period of objection for the data controller which commences on the date of the written regarding such intended changes.
Moreover, the EDPB indicates that even it is not required under GDPR, it can be stipulated in DPAs that data controller’s right as a third party beneficiary shall be stipulated under the contract between the data processor and the sub-processor to make sure that the data controller is entitled to request the return or erasure of the personal data from sub-processor. Such provisions will amplify the control of data controller over the personal data.
Even though the Draft DPA has not been finalized, it is a great source and guide on how to draft a DPA which includes various aspects regarding personal data processing. It foresees different provisions for different scenarios and gives examples about how to ensure the compliance of the documents concerning personal data processing with the opinions of the EDPB and GDPR.
Author: Aslı Naz Ünlü