What Is a Data Processing Agreement (DPA)?

Introduction

Expanding companies can take advantage of foreign markets by tapping into new customer bases to increase sales. They can also tap into a large worldwide talent pool to fill international remote roles.

Hiring international workers has benefits for both the company and the employees. The increasing popularity of remote work means that workers and contractors all over the world can join the workforce of an internationally expanding company whose headquarters could be halfway around the world. Employers are now open to more than their local talent pool, which may need more supply, and can find qualified and motivated individuals from all over the globe.

Some laws dictate how employers treat employees and spell out workers' rights. Another requirement for companies with employees and customers in the European Union is GDPR compliance.

What Is GDPR?

GDPR is an acronym for Global Data Protection Regulation. It is a set of regulations enacted by the EU governments to protect the privacy and security of citizens living in the 27 member states of the EU and their overseas territories. Any organization, company, or entity that collects personal data from an EU citizen must comply with the GDPR.

Personal data is data collected from an identifiable person, such as a name, location, ID number, or online identifier, or pertaining to one or more factors specific to the physical, mental, genetic, physiological, social, cultural, or economic identity of that person.

Some of the GDPR rules for data controllers, such as owners of sites and apps, specify that:

• The collection of data must be transparent and lawful.
• Data must be protected and websites and other ways of collecting data must be secure.
• Someone must be designated as accountable for GDPR compliance.
• Customers and users must be able to access the information collected about them easily.
• Data controllers and data processors must have a data processing agreement or DPA.

What Is a Data Processing Agreement Under the GDPR?

A data processing agreement is a contract between a data controller, any entity that collects and holds data, such as a company, and a data processor, such as a service provider. Almost every business that operates in any capacity online relies on third parties to collect and store data. To comply with GDPR rules, companies must have a DPA agreement with each third party about data processing.

An example of data processing would be a website collecting data concerning the users of the website. The site could collect data about the following:

• How many visitors the site gets
• Which elements the users interact with
• Which pages the users' view
• How long the users stay on each page

Different sites and apps may have various reasons for collecting data and what they intend to do with it. The similarity between these sites and apps is that if they collect data from EU citizens, they are bound to comply with GDPR rules, including having a DPA.

When Is a Data Processing Agreement Required?

The rules of the GDPR require that any company using a third party to process, store, or analyze data must have a signed DPA with the processor. This DPA is a legally binding contract spelling out the obligations and rights of each party regarding the protection of personal data.

The DPA is required whenever data is processed. Processing includes collecting, storing, communicating, translating, or encrypting data.

When Is a DPA Not Required?

Companies do not need a DPA when using and collecting data on non-EU citizens.

Who Is the Data Controller?

A data controller is any entity that collects data from users. An example of a data controller is a website or an app that collects data via a data processor, like a company’s website or app.

What Does a DPA Document Include?

A DPA, like any legally binding contract, should include the general information of the parties involved, the rights and obligations of each party, definitions, a termination clause, and the duration of the contract.

In addition to general information, there are items a DPA must include dictated by the GDPR, which can be found in the GDPR rules, Article 28, Section 3. A DPA document must consist of that:

• The processor agrees to process personal data on the written instructions of the data controller.
• Anyone who comes into contact with the data has sworn confidentiality.
• Measures have been taken to protect data security.
• The processor will not subcontract unless instructed to do so. If processing is subcontracted, there must be a DPA with the subcontractor.
• The processor will help the controller uphold Article 32 of GDPR compliance.
• The processor will delete all personal data upon returning the data to the controller or cessation of services.
• The processor agrees to any audit a controller may conduct and will prove compliance by offering any information necessary.

What Happens After a Data Breach Under a DPA?

After a data breach, the controller must notify the appropriate digital protection authority within 72 hours. All data processors must notify data controllers of every breach. If the breach imposes a high risk to the individuals involved, those individuals must be notified unless organizational or technical measures have been taken to mitigate that risk.

What Are the Penalties for Non-compliance With the GDPR?

If a company is found non-compliant, the company may face a reprimand, temporary or permanent ban on processing data, or a fine of 4% of annual revenue or 20 million euros.

Fines imposed by the Digital Protection Agency are intended to be proportionate, dissuasive, and effective. The authority may consider several factors when deciding the penalty’s size, such as the extent and duration of the infringement, whether or not the violation was accidental or intentional, whether or not an effort had been made to mitigate the damage, and whether or not the offending organization is cooperating with authorities.

Conclusion

GDPR protects the privacy of EU citizens by requiring any entity that collects data from EU citizens to follow the rules about the use of data. Also,  the scope of data collection, the notifications of the use of data and gathering of consent, the appointment of unique roles for handling data, such as a Data Protection Officer, and attempting to minimize data breaches with technical implementations and organizational measures such as training and informed policy-making.

What Is DPA Non-compliance?

DPA is an agreement between data controllers and parties that may process and store data. This agreement is legally binding and spells out the rights and responsibilities of all parties. Failure to comply with DPA and GDPR rules can result in costly consequences. The financial penalty for non-compliance could be 20 million euros or 4% annual revenue.

Complying with GDPR rules is just one facet of compliance with the many laws and regulations companies must comply with. Hiring internationally can have risks, including non-compliance with regulations such as GDPR, misclassification, visa requirements, and local employment laws such as minimum wage requirements and leave entitlements. Noncompliance with these laws can result in fines and other expensive penalties.

Avoid Non-compliance by Partnering With an Employer of Record Like Skuad

To avoid the costs and other consequences of noncompliance, global companies can work with an international partner such as an employer of record (EOR) like Skuad. Employers of record can be the legal employer of a foreign company’s employees, allowing foreign companies to tap into local employment markets without establishing a local legal entity. Setting up subsidiaries in every country where you may be hiring can be expensive and lengthy. Avoiding the establishment of entities can save companies a lot of time, money, and effort.

The employer of record can easily hire and onboard employees and independent contractors for the client company and make sure all employment contracts are compliant and that they follow local employment laws. Once onboarded, your workers will have their hours tracked accurately and payroll processed on time. Payroll taxes are paid correctly and on time, including any withholding of employees’ income taxes. Benefits are also managed, including paid time off and health insurance.

To see how Skuad can help your company hire and pay remote international contractors and employees and to see how we can make sure you are in compliance with all the relevant laws and regulations to which you may be subject, contact us to book a demo today.