What is a Data Processing Agreement (DPA)?
A data processing agreement, or DPA, is an agreement between a data controller (the organization hosting the event) and a data processor (the third-party service providers such as the virtual event platform provider). A DPA regulates any attendee data (e.g., name and email address) processing conducted for business purposes. A DPA outlines who owns the data and what the virtual event provider (data controller) can do with the data.
Why are DPA’s Critical to Have?
Whenever a data processor carries out any processing on your behalf, you need to have a written contract in place. The contract is important so that both parties understand their role in handling users’ personal data and their obligations arising from it. It ensures that the chain of responsibility is clear to each participant in the process.
A data processing agreement lays out technical requirements for the controller and processor to follow when processing data. This includes setting terms for how data is stored, protected, processed, accessed, and used.
In addition, a data processing agreement defines clear roles and obligations for controllers and processors. It is a useful contract for any arrangement between two parties working with customer or user data. It regulates the particularities of data processing, such as:
- The scope and purpose of the processing
- The relationship between these organizations
- The obligations of each party under the regulation
Recently, two virtual event platforms were caught using attendee data from their client events to either market their own services to the attendees or market other client events (competing events) to the attendees. This is a major breach of data use.
Accountability for establishing a lawful data process and observing data subjects’ rights falls to the controller (your company). For example, if the virtual event provider that you contract with breaches data security regulations, YOUR ORGANIZATION will be liable and accountable. This is why you need a DPA.
Remember that you (the controller) will be held responsible for a data breach even if caused by a processor (virtual event provider). Make sure that the processor has necessary data protection in place and that it will not use your attendee data in an unauthorized manner.
How Do I Know if I am Collecting Personal Information?
Personal Information or data includes simply collecting the attendee’s name and email. It does not have to be highly sensitive information such as SSN, card info, address, medical info, etc. Further, most virtual event platforms enable attendees to upload a picture. Photographic images that have distinguish features such as a face is considered personal information. This must be protected and not used for anything that the attendee did not agree upon.
What is GDPR?
GDPR stands for the General Data Protection Regulation. It’s an EU law that went into effect in May 2018. It governs privacy, data collection, and data protection within the European Union and the European Economic Area (EAA).
The primary purpose of the GDPR is to protect private information and standardize data protection laws across the EU. But more than that, it’s to protect the individual’s fundamental rights and freedom.
In other words, if your organization does business in the EU and EAA, you must follow the GDPR regulations. Failure to do so comes with stiff fines and penalties.
The GDPR focuses mainly on personal data and data processing, subjects, controllers, and processors. It mandates signing a DPA with third-party data processors. If your organization uses data about EU residents, you must be GDPR compliant and use DPAs. Not to do so could result in incurring hefty fines and penalties.
What Should Be Included in a DPA?
Generally speaking, a DPA should include the scope and purpose of data processing, what data will be processed, how it will be protected, and the controller (you) and processor (virtual event platform) relationship.
Data processing agreements must be very detailed. They should include:
- General information: This includes the activities involved in data processing, the ways personal data is used, the party responsible for ensuring data meets GDPR compliance, and the duration for which processing will occur. It also covers definitions of data subjects (attendees or users), the types of data to be processed, how and where data is stored, and the terms of contract termination.
- Responsibilities of the controller (you): When it comes to GDPR compliance, establishing a lawful data process and observing data subjects’ rights falls to the controller. The controller is also responsible for issuing processing instructions and dictating how the processor handles data. In other words, if the virtual event provider that you contract with breaches data security regulations, YOUR ORGANIZATION will be liable and accountable.
- Responsibilities of the processor: Under GDPR, processors have a long list of responsibilities. These include maintaining information security, cooperating with authorities in the event of an inquiry, reporting data breaches, providing opportunities for audits, record keeping, deletion or return of data at the end of the contract, and more. Articles 28-36 of GDPR set out responsibilities for data processors. Among other things, they:
- Must provide adequate information security
- Shouldn’t engage sub-processors without your prior consent
- Must cooperate with the authorities in the event of an inquiry
- Must report data breaches to you as soon as they become aware of them
- May need to appoint a data protection officer
- Must comply with EU transborder data transfer rules
- Must help you comply with data subjects’ rights, including the processing of data subject requests
- Must assist you in managing the consequences of data breaches
- Must delete or return all personal data at the end of the contract, if requested
- Must inform you if your processing instructions infringe GDPR
If the virtual event platform (data processor) plans to utilize sub-processors, a section outlining sub-contractual relationships is also necessary. The processor needs written consent from the you (controller) to use sub-processors, which must ensure data protection and pass compliance verification regularly.
- Technical and organizational requirements: How will data be encrypted, accessed, and tested? Can both parties ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services? GDPR demands that controllers and processors consider how state of the art technology, the costs of implementation, and variances in personal freedoms affect their ability to ensure ongoing data security.
Data processing agreement (DPA) under GDPR: A Summary
We hope that this gives you aa idea of what a data processing agreement is, why it is necessary, and what it should include.