In today’s digital age, companies that collect personal data from users have an obligation to be transparent about how they handle that data. Two common ways companies disclose their data practices are through privacy policies and data processing agreements (DPAs). But what exactly is the difference between these two important documents?
What is a Privacy Policy?
A privacy policy is a legal document that discloses how a company collects, uses, shares, and stores users’ personal data. It provides information about:
- What types of data are collected
- How the data is collected
- Why the data is collected
- How the data is used
- Who the data is shared with
- How users can access, edit, delete, or object to the use of their data
Privacy policies aim to provide transparency to users about a company’s data practices. They are often posted publicly on company websites. Under many laws and regulations like the GDPR, companies are required to provide privacy policies to users.
Key Sections of a Privacy Policy
Though privacy policy formats can vary, they often contain sections like:
- Data Collected: Lists the types of user and device data collected, like name, email, location, IP address, browsing history, etc.
- Use of Data: Explains how the company uses collected data, such as for providing services, personalization, analytics, marketing, etc.
- Sharing of Data: States who data may be shared with, like service providers, affiliates, partners, advertisers, etc.
- Legal Basis for Data Processing: Specifies the legal reasons why the company processes personal data, like user consent, contractual necessity, legal compliance, legitimate interests, etc.
- Data Retention: States how long data is kept before being deleted or anonymized.
- User Rights: Outlines choices users have to access, edit, delete, or object to the use of their personal data.
- Data Security: Provides information about security practices like encryption to protect collected data.
- International Data Transfers: Specifies if/how data is transferred outside of the country of origin.
- Changes to the Privacy Policy: States process for notifying users about changes to the privacy policy.
- Contact Information: Provides contact details for the privacy team or data protection officer.
What is a Data Processing Agreement (DPA)?
A data processing agreement (DPA) is a legally binding contract between a company that collects/controls personal data (the data controller) and a company that processes the data on their behalf (the data processor). DPAs establish security and confidentiality obligations to protect user data.
DPAs specifically outline:
- The types of personal data being processed
- The processing activities performed
- The purposes and legal basis for processing
- The data controller’s instructions for handling the data
- Security measures implemented by the data processor
- Requirements for data retention and deletion
- Processes for audits, monitoring, and breach notification
- Processor’s GDPR compliance responsibilities
- Processor’s subcontracting and international transfer conditions
- Liability and indemnification terms
DPAs provide legally enforceable data protection responsibilities for vendors, service providers and other third parties that handle personal data on behalf of a controller.
When is a DPA Required?
DPAs are required in certain situations under privacy laws like the GDPR, CCPA, and others. Specifically:
- Whenever a data controller uses a third party data processor to handle personal data on their behalf
- When personal data is transferred outside of the country of origin to a third party
- When two controllers share personal data with each other
Common examples where DPAs are required include companies using:
- Cloud service providers (like AWS, Azure, etc.) to host customer data
- Payment processors to handle transactions
- Email service providers to distribute emails
- Data analytics services to analyze user data
- Customer support services with access to user data
- Affiliates or partners that share common customers
Key Differences Between Privacy Policies and DPAs
Though privacy policies and DPAs both relate to data protection, there are some important differences:
Privacy Policy | Data Processing Agreement |
---|---|
Informs users about a company’s overall data practices | Outlines data handling requirements for specific service providers |
Written from the perspective of a data controller | Written between a controller and processor |
Public-facing document posted on company website | Private legal contract |
Broadly describes types of data use | Details specific processing activities |
Unilateral policies and procedures | Binding agreement imposing two-way obligations |
Provides transparency for users | Provides accountability between businesses |
To summarize:
- Privacy policies inform users about overall data practices
- DPAs legally bind vendors/partners to detailed data handling requirements
Privacy policies focus on user transparency while DPAs focus on business accountability. Businesses may need both to fully comply with data protection laws.
Key Elements of a DPA
Let’s explore the typical contents of a DPA in more detail:
Parties to the Agreement
Clearly identifies the data controller engaging the data processor. Provides details like official legal name, address, jurisdiction, etc.
Description of Data Processing
Details the specific scope of processing activities performed by the processor on behalf of the controller. Specifies:
- The types of personal data processed
- Categories of data subjects
- Processing operations performed on the data
- Purposes for data processing
Processor’s Compliance Responsibilities
Sets expectations for the processor to only process data per the controller’s documented instructions. Requires compliance with GDPR principles like data minimization. Prohibits unauthorized uses like selling data.
Technical and Organizational Safeguards
Defines security measures like encryption, access controls, logging, etc. implemented by processor to protect data. May require specific technologies or standards like ISO 27001 certification.
Audit Rights
Allows controller to audit processor’s data security controls, like through questionnaires, reports, site visits, or independent audits. Enables controller to verify GDPR compliance first-hand.
Data Subject Rights
Obligates processor to assist controller in responding to individuals exercising their GDPR rights like access, rectification, deletion, or transferring their personal data.
Sub-Processing
Sets conditions around appointing sub-processors, like requiring controller approval. Imposes same obligations on sub-processors as the primary processor.
International Data Transfers
Defines mechanisms used to legally transfer data from the EU to other countries like the US. Can include certification schemes like Privacy Shield or standard contract clauses approved by European Commission.
Security Breach Notification
Requires processor to promptly notify controller about any personal data breach, unauthorized access, or other security incident. Defines notification process and timeframes.
Return/Deletion of Data
Obligates processor to return or securely destroy personal data after processing services conclude. Ensures no unauthorized data retention.
Liability
Establishes responsibilities and penalties if either party violates DPA terms and causes compliance failures. Often includes indemnification clauses.
DPAs provide detailed security and privacy protections enforced contractually between businesses and their service providers handling personal data.
Benefits of DPAs
Proper DPAs offer companies advantages like:
- Compliance: DPAs help satisfy data protection requirements under privacy laws like GDPR, CCPA, etc.
- Risk Management: Contractually transfers liability for data breaches or non-compliance to vendors/partners.
- Security: Legally ensures service providers implement adequate data safeguards.
- Accountability: Creates auditing and monitoring mechanisms to verify vendor practices.
- Control: Contractually limits how providers can process personal data on your behalf.
- Trust: Reassures customers you take data protection seriously with partners.
DPA vs Privacy Policy: Which Comes First?
When initially implementing data protection measures, experts often recommend finalizing your privacy policy first before drafting DPAs.
This is because DPAs should accurately reflect the data handling practices outlined in your privacy policy. DPAs essentially provide the legal “teeth” to enforce privacy policy commitments with vendors.
The DPA negotiation process may even identify ways to strengthen your privacy policy to close any gaps between stated practices vs vendor limitations.
So beginning with a privacy policy helps align DPAs to existing public data commitments. DPAs can then provide the contractual oversight to validate vendors adhere to those privacy promises.
Do I Need Both a Privacy Policy and DPAs?
For many businesses, having both strong privacy policies and DPAs is necessary for robust data protection. However, exact requirements depend on your organization’s specific data activities and locations.
For example:
- Companies only conducting internal processing may only need a privacy policy.
- Startups without vendors may not need DPAs initially.
- Small businesses may cover DPAs within their privacy policy.
- Some non-EU businesses may focus only on privacy policies.
Conduct an assessment of your data flows to determine if DPAs are warranted for your highest risk vendors. Utilize risk-based analysis to focus first on DPAs for providers handling sensitive data, like financial information or children’s data.
Key Steps for Drafting DPAs
Follow these best practices when creating DPAs:
- Document your data flows. Map how data is collected, processed, and transferred to external parties. Identify cases where DPAs may be warranted.
- Assess provider risks. Evaluate which providers handle sensitive data, pose compliance risks, lack security controls, etc. to prioritize DPA efforts.
- Develop template DPAs. Create standard DPA templates you can provide to vendors to accelerate the process.
- Customize as needed. Adapt terms to address unique risks and requirements for each provider’s services.
- Negotiate responsibilities. Consult legal counsel to allocate liabilities appropriately between the parties.
- Implement with highest risks first. Onboard vendors handling sensitive data early to quickly reduce risk exposure.
- Monitor compliance. Put processes in place to ensure providers follow DPA obligations long-term.
Properly drafted and enforced DPAs provide significant data protection benefits. But they require investing sufficient time and resources to complete due diligence on service providers.
Maintaining Privacy Policies and DPAs
Both privacy policies and DPAs require ongoing maintenance to remain current. It’s important to:
- Update privacy policies to reflect new data practices, technologies, acquisitions, etc.
- Notify users of updated privacy policies per notification commitments.
- Renegotiate DPAs upon contract renewal periods.
- Draft new DPAs when changing service providers.
- Periodically audit providers to validate DPA compliance.
Staying on top of these documents ensures you continuously align your actual data handling with stated practices. Failing to maintain policies and agreements exposes the business to substantial risk.
Conclusion
Privacy policies and data processing agreements are complementary data protection tools that serve different purposes:
- Privacy policies provide public transparency into data practices.
- DPAs create private contractual safeguards with vendors.
Businesses collecting and handling significant personal data will likely benefit from implementing both robust privacy policies for users and targeted DPAs with key service providers. Drafting strong versions of these documents provides proof to customers and regulators that you take data privacy seriously at all levels of the organization.