DPA
A Data Processing Agreement (DPA) is an agreement between the controller and the processor regarding the data processing that is delegated by the controller to the processor.
It includes the purposes of the data processing, the duration of the processing, the categories of personal data processed, the categories of data subjects, and whether or not sub-processing is authorized.
In a DPA, the processor also agrees to process data only on written instructions from the controller, to implement appropriate technical and organizational measures, and to notify the controller within a given deadline (usually 24 hours) in case of Data breaches.
The DPA might refer to an underlying contractual relationship (e.g., the agreement between the company and the hosting provider, who is a processor).
Under the GDPR, data controllers must sign a DPA with every third-party who acts as a processor on their behalf. Not complying with this obligation can lead to GDPR fines.
When having a DPA as a data processor, make sure to review the technical, organizational measures (TOMs) and ensure that they are in line with your practices as a process.
Under the FADP, a formal separate DPA is not required. However, the controller must still have a sufficient contractual clause related to the data processed by the processor. This could be part of the underlying agreement between the companies.
Best practices
GDPR third-party processing: If third parties process personal data on behalf of the company and GDPR applies, a DPA is concluded with each third party. A standard DPA can be generated here.
FAPD third-party processing: If third parties process personal data on behalf of the company and FADP applies, the standard FADP clause below is implemented in all contracts:
ABC (Processor) processes personal data of XYZ (Controller) exclusively in accordance with the instructions by the Controller and insofar as this is necessary for the fulfillment of his contractual obligations. The Processor shall implement appropriate technical and organizational measures to ensure the security of the personal data. The Processor shall not subcontract any of its processing activities carried out on behalf of the Controller under this Agreement to a sub-processor without prior consent. Breaches of the security of personal data shall be reported by the Processor as soon as possible to the Controller, within 24 hours at the latest.
If one of the parties is located in a third-country (i.e., outside of EU, EEA, and Switzerland), you must comply with the requirements for third-countries transfers.
If the country is recognized by the EU-commission or the Federal Council, no additional measures must be taken.
If needed, the most common way to comply is to include the EU-commission standard contractual clauses (SCC) as an annex to your agreement.
Best practices
It is clear where personal data is actually processed and, if outside of the EU/CH, adequate measures are taken.
If you're processing personal data as a joint controller under the GDPR, all joint controllers must define their responsibilities, especially with regard to which controller is responsible for dealing with the data subjects' rights, and to determine which TOMs should be implemented by all joint controllers.
This can be made in a separate contract or in an existing one.