A Data Protection Agreement is necessary when an organisation allows any third party to access or process personal data. This includes storage of files in the cloud, the use of work management systems, marketing or bulk-email software, as well as any situation where you allow access to an individual’s personal data by anyone outside of your organisation. If you are sharing personal data, it is your obligation to ensure that there is a DPA in place.
At its simplest, the DPA must contain the following elements:
- The third party agrees to process only personal data on your written instructions.
- The third party agrees that every individual with access to the data will treat it confidentially.
- All appropriate technical and organisational measures will be used to protect the security of the data.
- The third party will not subcontract to another processor unless instructed to do so in writing by you (in which case another DPA will need to be signed).
- The third party will help you uphold your obligations under data protection law.
- The third party will help you maintain GDPR compliance with regard to security of processing and consulting with the data protection commissioner as appropriate.
- The third party will allow you to conduct an audit and will provide whatever information necessary to prove compliance with data protection law.
- The third party agrees to erase all personal data upon the termination of the agreement or return the data to you
The DPA is an important document to consider prior to availing of any third party services. Failure to have a DPA in place is a breach of GDPR and can lead to fines by the DPC and liability for damages.
This article is for information purposes only, and is not intended to be relied upon as legal advice. Fitzsimons Redmond will be happy to tailor advice and draft DPAs to suit the needs of your organisation. You can contact us on 01 6763257.
By Lisa Quinn O’Flaherty
Solicitor at Fitzsimons Redmond