The preparation and integration of the DPA into the main agreement has a significant impact on the future collaboration of the contracting parties. Additionally, it is one of the main documents for both parties to meet GDPR accountability compliance. The selection of a proper data processor and the custom tailoring of the agreement to the specific situation should be part of the negotiation process.
A data processor must be well-qualified to provide the data processing services. This does not only mean to provide feature-rich services, but to have the needed technical and organizational measures (TOMs) to guarantee the needed data protection and security requirements. As only the data controller can know the associated risks and they have the accountability, the required level of TOMs should be negotiated mutually before entering into an agreement. If during the negotiations the data controller cannot gain certainty that the data processor can meet the needed assurances, these concerns should either be addressed in the DPA or a different data processor should be used.
Evaluation of the data processor should include wider investigation into the capabilities of the organization. Do they have enough resources to handle extraordinary events, like incidents? Are they reliable, how is their overall reputation? If they had any previous incidents, what did they do to avoid further recurrences? Such information is usually collected via the use of questionnaires.
Depending on the structure of the agreement, clauses related to the data sharing can be integrated into the main text or put into a data processing addendum. In general, for the sake of readability, a separate addendum is usually preferred. The main requirements relating to the provisions are prescribed by respective data protection law, but the agreement should not just be the repetition of relevant clauses. The DPA should include a meaningful determination of the responsibilities around the complete data processing, including all rights, accountabilities, and duties. An easy-to-understand description of the complete data processing flow is strongly advised to avoid any misunderstanding. Similarly, addressing the individual data subject rights and requests, and the exact processes to be followed for meeting these use cases should be included.
Of significance is the clarification of the duties associated with the personal data in case of termination of the agreement. Data protection law prescribes the general duties for such scenarios, but specific data formats and the burden for organizing eventual data transfers is not prescribed. These should be technically defined as much as possible in the agreement text, considering the complete data flow in which the data processor is integrated.
The resulting final text should be the result of the collaboration of multiple disciplines, including legal, business, and IT. This way the agreement will not just be a boilerplate but an actual reference to go back to in case of doubt. And through the process, the data controller also has a chance to grow and improve.