Digital Personal Data Protection Toolkit [Part 2]: Data Processing Agreements

Alongside maintaining internal records [Record of Processing Activities or “ROPAs”], organisations must secure their external data supply chains. While internal records and mapping documents trace the complex data journey within the boundaries of an organisation, the DPA serves as the external legal shield that protects that data the moment it leaves your direct control.

A DPA refers to the legally binding contract executed between an organisation that determines the purpose and means of data processing [“Data Fiduciary”] and the third-party entity that processes data on its behalf [“Data Processor”].

WHY MUST A DPA BE MAINTAINED?

To ensure the implementation of strict data protection standards, the DPA can be reviewed by auditors or regulators, and the organisation can promptly demonstrate that its third-party data practices perfectly align with its internal policies and legal obligations.

It is essential for enhancing accountability and compliance by providing legal assurance that third parties handle data carefully and legally, by providing documented evidence that the data is handled carefully and legally, even when the actual processing is outsourced to a completely different corporate entity. It also facilitates regulatory compliance to the DPDP Act and the Rules thereunder:

• Sub-clause 2 to Section 8 [General obligations of Data Fiduciary] of the DPDPA specifies that: “A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract.”
• Its importance is further highlighted in Rule 6 of the DPDP Rules: [6] Reasonable Security Safeguards: “[f] appropriate provision in the contract entered into between such Data Fiduciary and such a Data Processor, wherever applicable, for taking reasonable security safeguards;”

WHAT MUST A DPA CONTAIN?

1. The name and particulars of the Data Fiduciary and the Data Processor,
2. The subject matter and duration of the Personal Data processing,
3. The nature and specific purposes of the processing activities,
4. The categories of Data Principals and the types of Personal Data being shared,
5. The duties, responsibilities and rights of the Data Fiduciary,
6. The duties, responsibilities and rights of the Data Processor[s],
7. The transfers of Personal Data abroad [cross-border data transfers],
8. The technical and organisational security measures undertaken by the Data Processor for Personal Data protection [including for cross-border data transfers],
9. The strict timelines and procedures for reporting personal data breaches, and
10. The retention period/ timeline for erasure of the different categories of Personal Data.

HOW TO DRAFT AN EFFECTIVE DPA?

The following steps should be followed to maintain effective DPAs:

I. Describe the Parties, Scope and Purpose

1. Firstly, clear terminology must be established. The DPA should explicitly define terms such as "Personal Data", "Processing" and "Sub-Processor" as they are interpreted under the DPDP Act. This sets a strict foundation and removes any ambiguity regarding what is being protected.
2. Further, the Parties: Data Fiduciaries [including any Joint-Fiduciaries] and Processor[s] [including any Joint/Sub Processors] must be introduced and described.
3. The scope and purpose of the agreement should then be specified clearly. This clause must outline the subject matter and duration of the Personal Data processing, and explain exactly why the data is being shared.
4. This should be followed by a brief “Description” of the processing activity, explicit purpose of processing, the specific types of Personal Data involved [such as names or contact information] and the precise categories of Data Principals [such as customers or employees].
5. At this stage, it is essential to specify the “Purpose[s]” of Processing the Personal Data.
6. Following this, the “Categories of Personal Data” must be specified to specify to whom such data relates, including Data Fiduciary and their employees [when acting in the capacity of a Data Processor], Data Processors and their employees [when acting in the capacity of a Data Fiduciary], etc.

II. Duties, Obligations and Rights of Processors and Fiduciaries

1. Further, the “Data Processor Duties, Obligations and Rights” should be specified.
   • This is arguably the most critical section, which dictates that the Data Processor must process Personal Data solely in accordance with the Controller's instructions and the DPDP Act.
   • Accordingly, it must mandate strict confidentiality for all authorised personnel handling the data.
   • Related duties such as assisting with responding to Data Principal and Law Enforcement requests, etc. should be complied with. - At the same time, the Rights available to them should be specified [such as the right to clear instructions and refusal of unlawful processing].
2. Following this, the “Data Fiduciary Duties, Obligations and Rights” should also be specified.
   • It is pertinent to reiterate here that it is the Data Fiduciary who bears principal responsibility and liability under the DPDPA.
   • This clause must ensure that the Data Fiduciary provides specific, clear and lawful processing instructions and maintains a valid legal basis for processing the shared data.
   • It should also provide for other related rights to the Controller, such as the right to audit the Processor's compliance measures, such as the security measures taken at any time
3. A clear clause for possibly engaging “Sub-Processors” should also be added. If permitted, it must guarantee that these subordinate entities are bound by the exact same stringent agreement to ensure liability remains intact.

III. Cross-Border Data Transfers

1. With global supply chains, data often leaves the country. For this, it is essential to specify the conditions for “Data Transfers Outside India”. This clause must dictate that written consent is required for any transfers outside India, and that transfers must comply with the DPDP Framework and data protection regulations of the relevant jurisdictions regarding international data flows.
2. Similarly, the “Processor Location” must be specified for transfers outside India. 
3. Additionally, the “Third Country Transfer Legal Basis” must be specified. This includes Standard Contractual Clauses and other related legal requirements. The onus of preparing the legal requirements should also be specified.

IV. Technical and Organisational Measures: Security and Risk

1. The DPA must specify the “Security Measures” required, including encryption, pseudonymisation, technical safeguards and regular security audits. 
2. At the same time, it must include a strict timeframe [such as within 24 hours] for “Data Breach notifications”, mandating the Processor to notify the Controller of any personal data breach. This ensures the primary organisation can meet its own regulatory reporting deadlines.

V. Personal Data Retention and Erasure

1. Consequently, the “Term” for retaining the Personal Data for the purpose for which it was collected and processed must be clearly stated. Crucially, it must dictate that upon termination of the services, the Processor is legally bound to either securely delete or return all Personal Data, based solely on the Controller's instructions.
2. Further, the “Retention Period” of the Personal Data beyond the “Term” must be clearly stated, as per the category of the Data.
3. This should be followed by the “Retention Justification” must also be specified. For example, Personal Data may be retained to comply with legal requirements.