A DPA serves as a legal contract between Roseman Labs and our customers, ensuring that data processing activities adhere to applicable data protection laws and regulations.
In this article, we will explore the importance of establishing a robust Data Processing Agreement (DPA) when using Roseman Labs for data processing.
What is a DPA?
A Data Processing Agreement (DPA) is a legally binding contract or agreement between a data controller and a data processor. It defines the terms and conditions under which the data processor processes personal data on behalf of the data controller.
The objective of a DPA is to outline the roles, responsibilities, and obligations of both parties to ensure compliance with applicable data protection laws and regulations.
What are the primary roles that should be outlined in a Data Processing Agreement (DPA)? The data controller and data processor are key roles defined under the General Data Protection Regulation (GDPR). Here are their definitions:
1. Data Controller: A data controller is an entity or individual that determines the purposes and means of processing personal data. They have the ultimate decision-making authority over how and why personal data is processed. The data controller is responsible for ensuring compliance with applicable data protection laws, safeguarding data subjects' rights, and implementing appropriate security measures.
2. Data Processor: A data processor is an entity or individual that processes personal data on behalf of the data controller. They act under the authority and instructions of the data controller and do not make independent decisions regarding the data processing. Data processors handle personal data on behalf of the data controller and must adhere to the contractual obligations and instructions provided by the data controller. Data processors are responsible for implementing appropriate security measures and ensuring the confidentiality and integrity of the data they process.
What is a Joint Controllership Agreement?
A JCA is an agreement for parties participating in a collaborative partnership, with the various parties acting as joint controllers within the meaning of the GDPR.
Article 26 of the GDPR states “Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations […]”
Among other things, a JCA defines the joint responsibilities related to:
- Protection of the rights of data subjects
- Interacting with regulatory bodies
- Reporting incidents and data breaches
- Confidentiality
- Information security
What are important things to keep in mind when conducting a compliance review of an MPC-solution?
We are currently in the process of developing a short training video that will offer tips to enhance your compliance journey.
Stay tuned for the updates!
Where can I find templates for a DPA or JCA?
Please find a DPA template from the GDPR.eu here: https://gdpr.eu/wp-content/uploads/2019/01/Data-Processing-Agreement-Template.pdf
See a Dutch Joint Controllership Agreement template here at SURF.nl: https://www.surf.nl/files/2019-11/model-joint-controllership-agreement.pdf
Templates that we use to support our clients are available upon request.