The battle of the data processing agreement

By 
Gry Josefine Løvgren
June 27, 2024

Effective vendor management and thought through data processing agreements (DPA) are crucial for safeguarding data. Early involvement of compliance officers, thorough negotiation of key terms, and the use of standardised templates can enhance vendor collaborations and protect against cyber threats.

Odense University Hospital in Denmark has faced significant operational challenges due to a cyber attack on one of their key vendors in June. The incident disrupted patient care and administrative processes, emphasising the critical nature of vendor collaborations in cybersecurity. 

- It is thought-provoking that there has not been better vendor management than for this to happen, tech correspondent from the Danish Broadcasting Corporation states in an article about the topic. 

Vendor collaboration is key in data compliance.

So how do you manage your vendors? How do you ensure a strong collaboration? The answer is data processing agreements (DPA).

Too late to the party

Vendor collaboration starts with your organisation (someone in IT for instance) deciding to outsource some work or buy a new system, where handling of personal data is involved: A new vendor is acquired. Once the vendor is chosen you negotiate a main contract and a data processing agreement (DPA). 

A DPA is a legal document that outlines the terms for how data should be processed by a data processor on behalf of a data controller. GDPR article 28, section 3 and 4 states that a DPA must be made, but it doesn't say exactly what it should contain. That leaves room for getting your own demands in. And the same goes for the vendor. So it is a document that is not always initially agreed upon. It can become a negotiation. 

The compliance officer is most likely involved in drafting and negotiating the DPA. 

She is responsible for later auditing the vendor and for generally making sure personal data is safe. She therefore knows a lot about what a sensible contract should look like and will be able to negotiate the relevant details such as deadlines, costs and responsibilities in case of a data breach.

However.

In our experience, the main contract is often signed without the compliance officer being involved and then the vendor is no longer open to negotiating terms in the DPA – because the deal is already sealed. 

“The DPA sets the foundation for future audits and responsibilities. But if your conditions aren't included in the DPA, it limits what can be requested later. That is why it is so important for future collaboration to get it in place from the very beginning, before the main contract is signed. You need to make sure that the compliance officer is part of the whole process to ensure this,” explains Helle Dollerup Mortensen, GDPR and Compliance Specialist in Wired Relations.

Who is responsible? The negotiations

There are many things - many important things - that can be the object for negotiations.

One is the method for auditing – should it be a physical meeting, a survey or an independent auditor report? 

When should a data breach be reported to the data controller? And who is responsible in case of a data breach? It is possible to outsource the responsibility and make the vendor responsible in case of any loss, financial or reputational, due to a data breach. 

When should the vendor inform of the use of a new sub-processor and how long does the data controller have to make objections to a potential new sub-processor? 

Seemingly small details can have a significant impact on a company. Therefore, it's crucial to create a culture where the compliance officer is involved from the outset. This practice not only safeguards the data subjects' interests but also strengthens the company's financial stability and overall organisational health.

Templates as a guide

In Denmark, the Danish Data Protection Agency has provided a template for the DPA. Using a recognised template can simplify the negotiations by offering a common starting point.

Cross-border vendor collaborations can be more complex due to differing legal frameworks. Here it can be an advantage to use the standard contractual clause from the EU Commission. 

Likewise the extent of the negotiations may depend on the size of the company you are negotiating with. Large companies often have a standard DPA that they use, where there will be little to no room for negotiations. Here it will be a matter of deciding how important that specific vendor is for your business. 

The crucial point to remember is that the DPA establishes the foundation for potentially long-term vendor collaboration critical to your organisation. So buckle up and get in there. 

You've got this. 

3 valuable tips for negotiating a data processing agreement 

  • Use standardised templates as a starting point (either national or European) then the most important points are already covered. 
  • Be as specific as possible in your descriptions, so that the transfer of data takes place in a reassuring manner.
  • Don't make more demands than necessary.


See how Wired Relations can help manage your vendors –
Book a demo

Great vendor management depends on governance: In this webinar, we talk to TDC NET about how good governance can build a great privacy culture. You'll get great inspiration on how to set-up a governance structure for handling new vendors.