Ping Identity Corporation
University of Nice-sophia Antipolis
Putting in place a data processing agreement between a data controller and a data processor (or a data processor and a data sub-processor) is a requirement for data processed within the scope of GDPR. This document, which is a proper contract between the two parties, aims to ensure that everyone involved is handling personal data in accordance with GDPR's stipulations and in line with the rules pre-established by the parties. Most importantly, it lays down requirements for data processors to meet before they are trusted with the data provided by the data controller. Both data controller and processor are, however, often driven by divergent interests when establishing such document. Main challenges are the ones relating to: responsibility for determining the scope and types of data processed; obligations to assist and cooperate; liability for implementation of adequate security measures and for security incidents; exercising data subjects' rights; questions relating to data residency and international data transfers; use of sub-processors; timeframe for notification obligations, etc.
The article is a practical perspective on how these different issues are addressed by the business and what arguments can be raised by each party when discussing various aspects of the data processing.