Whenever personal data is provided to another party and such other party processes this personal data, you need to determine whether a data protection agreement (DPA) pursuant to art. 28 GDPR1 is necessary, or not.
GDPR distinguishes between data controllers and data processors. A data controller is a party that determines itself the purposes and means of the processing of personal data (art. 4 (7) GDPR). The controller remains responsible towards a data subject for the processing of the personal data. By contrast, a data processor is a party that processes personal data on behalf of the controller (art. 4 (8) GDPR).
The data processing relationship between controller and processor requires a written contract (DPA). The DPA must, among others, implement appropriate technical and organisational measures.
1) Data processing by a processor. This category falls within art. 28 GDPR and requires a DPA. The processor acts on behalf of the providing party (controller). Selected examples are:4
- Outsourcing of payroll accounting;
- Cloud computing without content access. This example is not quite clear: if there is no content access, why is it data processing (see last bullet of this category)?
- Call center services without significant decision making. The call center only executes instructions;
- Data entry or document scanning;
- Backup storage and other archiving;
- (Remote) maintenance services of data processing systems (with access to data).
2) No data processing (by a processor) because the commissioning focuses on external professional services. This category requires no DPA because the data processor is qualified as (independent – not joint) controller. The receiving party can use the personal data as it sees fit to execute the service. Selected examples are:5
- Professionals bound by professional secrecy (e.g. attorneys, doctors);
- Banking and postal services;
- Flower shops and wine dealers who receive a list of addresses for the delivery of goods. In this example it seems unclear why the dealer should qualify as controller. It is not permitted to use the list for subsequent deliveries unless instructed. This example should probably qualify as category 1, above;
- Employment agency;
- Provider of online broker services;
- Medical labs or manufacture of medical products. Also in this example it seems unclear why the medical lab, which received blood work from the referring doctor, should qualify as controller. This example should probably qualify as category 1, above.
3) No data processing (by a processor) because the commissioning focuses mainly on activities other than data processing (scope of mandate). This category actually seems to qualify as data processing requiring a DPA. However, the LDA suggests not to qualify it as data processing under art. 28 GDPR.6 Selected examples are:
- Craftsmen who receive the necessary tenant information to execute a repair;
- Passenger transport, ambulance services;
- Cleaning services or cleaning of work clothes with name tags;
- Printing of brochures and catalogues;
- Courier/dispatch services or newspaper delivery;
- Text translations.
On occasion it might be better to be safe than sorry. However, it is not recommendable to sign a DPA merely because personal data is transferred to a receiving party. It is important to evaluate the data processing based on scope and means, not by terminology.
Daniel Ronzani
- 1 Regulation (EU) 2016/679, tinyurl.com/yxp53ynx.
- 2 tinyurl.com/rpdk3m8.
- 3 Bayerisches Landesamt für Datenschutzaufsicht, FAQ zur DS-GVO, Abgrenzung Auftragsverarbeitung (Auslegungshilfe), 15.5.2019, page 1, tinyurl.com/yyyllkt8.
- 4 Ibid., page 1.
- 5 Ibid., page 2.
- 6 Ibid., page 3.
