Data Processing Agreements (DPAs): A Comprehensive Guide for CIPP/E Exam Preparation
Introduction to Data Processing Agreements
Data Processing Agreements (DPAs) are one of the most critical legal instruments under the General Data Protection Regulation (GDPR). They form the contractual backbone of the relationship between data controllers and data processors, ensuring that personal data is handled lawfully, securely, and in accordance with the controller's instructions. For anyone preparing for the CIPP/E exam, a thorough understanding of DPAs is essential, as they appear frequently in exam questions and intersect with numerous other GDPR concepts.
Why Are Data Processing Agreements Important?
Data Processing Agreements are important for several key reasons:
1. Legal Obligation Under the GDPR: Article 28 of the GDPR mandates that processing by a processor shall be governed by a contract or other legal act. This is not optional — it is a binding legal requirement. Failure to have a DPA in place can result in administrative fines and regulatory action against both the controller and the processor.
2. Accountability and Compliance: DPAs are a cornerstone of the accountability principle under Article 5(2) of the GDPR. They demonstrate that a controller has taken concrete steps to ensure that any third party processing personal data on its behalf does so in compliance with the GDPR. Without a DPA, a controller cannot demonstrate that it has adequately governed its processing relationships.
3. Protection of Data Subjects: DPAs serve to protect the rights and freedoms of data subjects by ensuring that processors are contractually bound to maintain the same level of data protection that the controller is required to uphold. This includes obligations around security, confidentiality, data breach notification, and assisting the controller in fulfilling data subject rights requests.
4. Risk Allocation: DPAs allocate responsibilities and liabilities between controllers and processors. They clarify who is responsible for what, reducing ambiguity and helping both parties understand their obligations in the event of a data breach or regulatory investigation.
5. Chain of Processing: In modern data ecosystems, processors frequently engage sub-processors. DPAs create a chain of contractual obligations that flow down to sub-processors, ensuring that data protection standards are maintained throughout the entire processing chain.
What Is a Data Processing Agreement?
A Data Processing Agreement is a legally binding contract between a data controller (the entity that determines the purposes and means of processing personal data) and a data processor (the entity that processes personal data on behalf of the controller). The DPA sets out the subject matter, duration, nature, and purpose of the processing, the type of personal data involved, the categories of data subjects, and the obligations and rights of the controller.
Legal Basis: Article 28(3) GDPR
Article 28(3) specifies that the contract or legal act between the controller and the processor must stipulate, in particular, the following:
• The processor shall process personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by EU or Member State law.
• The processor shall ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• The processor shall take all measures required pursuant to Article 32 (security of processing).
• The processor shall respect the conditions for engaging sub-processors (Article 28(2) and 28(4)).
• The processor shall assist the controller in ensuring compliance with data subject rights (Articles 15–22), taking into account the nature of the processing.
• The processor shall assist the controller in ensuring compliance with obligations related to security, breach notification, data protection impact assessments (DPIAs), and prior consultation (Articles 32–36).
• The processor shall, at the choice of the controller, delete or return all personal data to the controller after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage.
• The processor shall make available to the controller all information necessary to demonstrate compliance with Article 28 obligations and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
How Do Data Processing Agreements Work?
1. Selecting a Processor
Before entering into a DPA, the controller has an obligation under Article 28(1) to use only processors that provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of data subjects. This due diligence step is crucial and often tested in exams.
2. General vs. Specific Authorisation for Sub-Processors
Under Article 28(2), the processor must not engage another processor (a sub-processor) without either:
• Prior specific written authorisation of the controller, or
• Prior general written authorisation of the controller.
In the case of general written authorisation, the processor must inform the controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the controller the opportunity to object to such changes.
3. Flow-Down Obligations to Sub-Processors
Article 28(4) requires that where a processor engages a sub-processor, the same data protection obligations as set out in the DPA between the controller and the processor shall be imposed on the sub-processor by way of a contract. If the sub-processor fails to fulfil its obligations, the initial processor remains fully liable to the controller for the performance of the sub-processor's obligations.
4. Standard Contractual Clauses for DPAs
The European Commission has the power under Article 28(7) to lay down standard contractual clauses (SCCs) for agreements between controllers and processors. In June 2021, the European Commission adopted new SCCs that include modules for controller-to-processor relationships. Supervisory authorities may also adopt SCCs under Article 28(8). Using approved SCCs can simplify compliance but does not remove the need for due diligence.
5. Practical Implementation
In practice, DPAs typically include the following structure:
• Main body: General terms covering the relationship, liability, indemnification, and governing law.
• Annex I: Description of the processing (subject matter, duration, nature, purpose, types of personal data, categories of data subjects).
• Annex II: Technical and organisational measures implemented by the processor.
• Annex III: List of authorised sub-processors (if applicable).
Key Concepts to Understand for the Exam
Controller vs. Processor Distinction: A fundamental concept. The controller determines the purposes and means of processing. The processor acts on behalf of and under the instructions of the controller. If a processor begins determining the purposes and means of processing on its own, it may be deemed a controller under Article 28(10), with all attendant obligations and liabilities.
Joint Controllers (Article 26): Where two or more controllers jointly determine the purposes and means of processing, they are joint controllers. They must enter into an arrangement (not a DPA) that determines their respective responsibilities. This is distinct from a DPA and is a common exam trap.
Processor Becoming a Controller: Under Article 28(10), if a processor infringes the GDPR by determining the purposes and means of processing, it shall be considered a controller with respect to that processing. This is an important liability trigger.
Liability Under Article 82: Both controllers and processors can be liable for damages caused by processing that infringes the GDPR. A processor is liable only where it has not complied with obligations specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
Relationship Between DPAs and International Transfers: DPAs often intersect with Chapter V of the GDPR (international transfers). If a processor is located outside the EEA, the controller must ensure that an adequate transfer mechanism is in place (such as SCCs for international transfers, adequacy decisions, or binding corporate rules) in addition to the DPA.
Common Exam Scenarios
• A company outsources payroll processing to a third-party provider — this is a classic controller-processor relationship requiring a DPA.
• A cloud service provider stores personal data for a client — the cloud provider is typically the processor, and a DPA is required.
• A processor engages a sub-processor without informing the controller — this is a breach of Article 28(2).
• A processor uses personal data for its own marketing purposes — the processor has stepped outside its instructions and may be deemed a controller under Article 28(10).
• Two companies jointly decide how and why to process personal data — this is a joint controller arrangement under Article 26, not a DPA situation.
Exam Tips: Answering Questions on Data Processing Agreements
1. Know Article 28 Inside and Out: Article 28 is the single most important provision for DPA questions. Be able to list the mandatory elements of a DPA from Article 28(3). Many multiple-choice questions will test whether you can identify which element is or is not required.
2. Distinguish DPAs from Joint Controller Arrangements: A very common exam question involves determining whether a scenario describes a controller-processor relationship (requiring a DPA under Article 28) or a joint controller relationship (requiring an arrangement under Article 26). Focus on who determines the purposes and means of processing. If both parties determine purposes and means, it is a joint controller situation.
3. Remember the Sub-Processor Rules: Questions often test whether you know the difference between general and specific written authorisation for sub-processors. Remember that with general authorisation, the processor must inform the controller of changes and give the controller the opportunity to object.
4. Focus on Processor Obligations: Be clear on what a processor must do under a DPA: act only on documented instructions, ensure confidentiality, implement security measures, assist with data subject rights, assist with breach notification and DPIAs, delete or return data at the end of the relationship, and allow audits.
5. Understand the Liability Framework: Know that under Article 82, processors can be directly liable for damages. Under Article 28(10), a processor that determines purposes and means becomes a controller. These are important liability concepts that frequently appear in exam questions.
6. Watch for the "Sufficient Guarantees" Requirement: Article 28(1) requires controllers to use only processors providing sufficient guarantees. Exam questions may ask what a controller must do before engaging a processor — the answer relates to this due diligence obligation.
7. Link DPAs to the Accountability Principle: If a question asks about demonstrating compliance or accountability, remember that DPAs are a key mechanism for controllers to demonstrate they have governed their processing relationships appropriately.
8. Don't Confuse Transfer SCCs with DPA SCCs: The European Commission has issued SCCs for both international data transfers (Article 46(2)(c)) and for controller-processor agreements (Article 28(7)). These serve different purposes. Transfer SCCs address adequacy of protection for cross-border transfers; DPA SCCs address the contractual relationship between controllers and processors.
9. Read the Question Carefully: Many DPA questions hinge on subtle distinctions. Pay close attention to whether the question is asking about a controller's obligation, a processor's obligation, or a mutual obligation. Also look for keywords like "on behalf of," "determines the purposes," and "documented instructions."
10. Practice with Scenario-Based Questions: The CIPP/E exam frequently uses scenarios. Practice identifying the roles of each party (controller, processor, sub-processor, joint controller) before answering. The correct role determination will almost always lead you to the correct answer about what type of agreement or obligation applies.
Summary
Data Processing Agreements are a fundamental compliance mechanism under the GDPR, rooted in Article 28. They establish the contractual framework governing how processors handle personal data on behalf of controllers. For the CIPP/E exam, mastering DPAs requires understanding their mandatory elements, the distinction between controller-processor and joint controller relationships, sub-processor rules, liability implications, and the connection to broader GDPR principles like accountability and international data transfers. By focusing on Article 28, practicing scenario-based analysis, and being precise about role classifications, you will be well-prepared to tackle any DPA-related question on the exam.
