Do Third Parties Process Your Data? Why You Need a DPA & SCC

If a third party processes data on your behalf, you’ll need a Data Processing Agreement in place to protect your customers and your business – and you could be fined if you don’t get one. Our GDPR Local Experts can explain you why.

You run an organisation that wields a lot of data. Sometimes you need that data to be transferred to and processed by companies outside your own. Perhaps it’s for marketing, analysis or payroll purposes. You bundle the data up and send it to your contracted third parties. You’ve established non-disclosure and service level agreements with all of them, so you’re confident that you’ve protected yourself against risk, and that you’ve complied with data protection laws.

Except you haven’t.

What is a Data Protection Agreement?

If you operate a business that works with personal data in the EU and/or UK, you need to comply with certain data protection regulations (the EU GDPR if you’re operating in the EU; the UK GDPR if you’re operating in the UK – we’ll just refer to them both as ‘GDPR’ for the rest of this article).

The GDPR imposes rules on how you transfer data to third parties for processing. Whenever you use a third party data processor, you’ll need a contract in place. That contract is a DPA – a Data Processing Agreement.

What does a DPA do?

A DPA is a mandatory document that supplements any service agreement already in place. It sets out the details of the relationship including, for example, the nature and duration of the processing and the types of data involved.

Crucially, it also describes each party’s responsibilities in respect of the data being processed. Among other things, a DPA will include clauses regarding the data importer’s duty of confidence, security measures, data subjects’ rights and the requirement for any sub-processing by other third parties contracted by the importer to be authorised by the data controller (in this case, you).  

In the UK, you can find an at-a-glance guide to the requirements of a DPA on this Information Commissioner’s Office guide.

What is the benefit of a DPA?

The right DPA ensures you comply with GDPR regulations. In the event of a data privacy breach, and assuming your agreement has been correctly drafted, the third-party processor would be liable. Without an appropriate DPA, you may both be – and you’ll face a fine for failing to meet data protection laws.

In 2022, the Austrian Data Protection Authority found Google Analytics to be in violation of the GDPR for transferring data to third countries without adequate safeguards. In the UK, the ICO fined Yahoo! UK £250,000 for a similar transgression, when data shared with the company’s US counterpart was subject to a hack that compromised customers’ personal data.

Yet a DPA is more than a ‘get out of jail free’ card to protect you in the event of an issue with third party processors. It’s effectively a guide that helps you meet your obligations, stay compliant and ensure that everyone understands their responsibilities.

What is an SCC?   

Like Batman and Robin, DPAs and SCCs (Standard Contractual Clauses) are often inseparable. As the name suggests, SCCs are standard provisions that ensure additional safeguards are put in to place to protect personal data that is leaving the EEA to be processed in countries that do not have an adequacy arrangement, and which may not afford the same level of data protection security. The SCC ensures data is protected to the level required by the GDPR. 

You can find more about SCCs for data that is shared between the EU and non-EEA territories on the European Commission website. 

The UK has its own position for international transfers through two documents issued by the ICO:

• An international data transfer agreement (IDTA) is the equivalent of the new EU SCC for international data transfers from the UK to countries without equivalent privacy laws.
• An international data transfer addendum (the ‘UK Addendum’) amends the new EU SCCs so they work for international data transfers from the UK to countries without equivalent privacy laws.

What’s new about a ‘new SCC’?

The new SCC (and by extension the UK IDTA and Addendum which effectively replicates it for the UK) is onerous – certainly more so than the ‘old’ pre-27 September 2021 version. Through its 25+ pages, data exporters and importers are required to carry out transfer impact assessments. There are new obligations on the data importer to notify the exporter regarding access requests. There are new transparency obligations and a reinforcement of data subjects’ ability to enforce their rights. 

There’s also a more modular approach to the relationships catered for by the new SCC, with clauses for relationships between:

• Controller and a controller
• Controller and a processor
• Processor and a controller
• Processor and a processor 

DPAs and SCCs: what should you do next?

If any third party processes personal data on your behalf, you’ll need a DPA to comply with data protection laws. If that data processor operates from a country outside the EEA or UK and does not have a data adequacy arrangement, the DPA will need to be supplemented by an SCC (in the EU) or a UK IDTA and Addendum (in the UK). 

It almost goes without saying that the arrangements are often confusing and time consuming for companies, yet it’s important to ensure compliance if you’re to avoid a fine, a breach or both. 

So for help in ensuring your data transfer arrangements are compliant, and for broader GDPR advice and support to bring all your GDPR policies in line, talk to our GDPR experts.