Data Processing Agreement

As per Article 28 (3) of the GDPR processing shall be governed by a contract or any other legal act that is binding on the processor with regard to the controller. The said contract can be drafted by including the provisions of the GDPR under the various clauses discussed hereunder:

(a) Introductory clause

This clause shall specify the controller(s) and the processor(s) who are executing the contract and it shall further specify that the contract is binding on the processor with regard to the controller and the processing shall be done in accordance with terms of the contract.

(b) Subject matter, duration, purpose of the processing

This clause shall specify the type of personal data (eg. personal data of consumer who is buying air tickets from a website) and category of data subject (eg. a customer in this case). The purpose of the processing (eg. processing data for the purpose of giving best price on air tickets) and duration of such processing shall also be specified.

(c) Obligations of the processor

(i)                Obligation of processor w.r.t processing of personal data and transfer of data to third country:  The processor shall process the personal data and transfer the personal data to third country only on written instructions from the controller. In case the processor is obliged by the union or member state law to process data of transfer the same to third country then the controller shall be informed of such obligation unless prohibited by such law.

(ii)             Obligation of processor w.r.t implementing technical and organizational measures: The processor shall implement technical and organizational measures to ensure a level of security appropriate to the risk, including measures like pseudonymization, encryption of personal data, confidentiality, integrity, availability and resilience of processing systems and services. The processor shall have the appropriate measures for accessibility and availability of personal data in case of any breach and incident. (Compliance to this clause may be shows by adhering to approved code of conduct or an approved certification mechanism). If the processor is showing compliance through an approved code of conduct or an approved certification mechanism then it will be liability of the processor to show adherence with the same.

 (iii)           Obligation of processor w.r.t appointing a sub-processor: This clause shall specify the written authorization as to the manner in which the processor may engage a sub-processor. The processor is also obliged to inform the controller of the proposed change and the processor will be liable to ensure that the sub-processor adheres to the terms of the data processing agreement executed between the controller and processor.

 (iv)            Obligation of processor w.r.t the personnel authorized to process the personal data: The processor must ensure that the authorized personnel have committed themselves to confidentiality (this can be ensured by execution of non-disclosure agreements between the processor and the authorized personnel). The processor shall also inform the authorized personnel of sensitive nature of personal data and security procedure applicable to processing of such data.

(v)              Obligation of processor w.r.t assisting the controller to show compliance with this regulation: The processor shall assist the controller in fulfillment of the controller’s obligations mentioned in chapter 3 of the GDPR. This clause may prescribe the time line and the manner in which the processor will assist the controller during the fulfillment of various duties. This clause shall also specify about the processor’s liability to assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor.

(vi)            Obligation of processor w.r.t furnishing information to the controller: The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

(vii)         Obligation of processor w.r.t cooperation with the supervisory authority: The processor and, where applicable, its representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks. 

(viii)       Obligation of processor to keep a record of processing activity: The processor shall keep a record of all the processing activity carried by it. Such record shall contain details of the controller, the categories of processing carried out on behalf of each controller, details of transfers of personal data to a third country or an international organization, and a general description of the technical and organisational security measures adopted by it.  

 (ix)            Obligation of the processor to delete or return data: The processor shall at the choice of the controller, delete or return all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data

 (d) Obligations of the Controller

 (i)                 Obligation of controller to keep a record of processing activity: The controller shall keep a record of all the processing activity carried by the processor on its behalf. Such record shall contain details of the Data Protection Officer, purpose of processing, description of the categories of data subjects and of the categories of personal data, categories of recipients to whom the personal data have been or will be disclosed, details of transfers of personal data to a third country or an international organization.

(ii)             Obligation of controller w.r.t cooperation with the supervisory authority: The controller and, where applicable, its representative, shall cooperate, on request, with the supervisory authority in the performance of its tasks.

(iii)           Notification of data breach: The controller shall notify the data breach to the supervisory authority and data subjects in terms of Article 33 & Article 34 of the GDPR.