惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The GitHub Blog
The GitHub Blog
云风的 BLOG
云风的 BLOG
T
Threatpost
WordPress大学
WordPress大学
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
PCI Perspectives
PCI Perspectives
T
The Exploit Database - CXSecurity.com
Y
Y Combinator Blog
雷峰网
雷峰网
爱范儿
爱范儿
The Hacker News
The Hacker News
Last Week in AI
Last Week in AI
Simon Willison's Weblog
Simon Willison's Weblog
T
Tor Project blog
S
Securelist
宝玉的分享
宝玉的分享
L
LangChain Blog
O
OpenAI News
AI
AI
P
Privacy International News Feed
L
LINUX DO - 最新话题
D
DataBreaches.Net
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Attack and Defense Labs
Attack and Defense Labs
罗磊的独立博客
M
MIT News - Artificial intelligence
Security Archives - TechRepublic
Security Archives - TechRepublic
月光博客
月光博客
博客园 - 【当耐特】
T
Tailwind CSS Blog
C
Cybersecurity and Infrastructure Security Agency CISA
H
Help Net Security
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
博客园_首页
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Hacker News - Newest:
Hacker News - Newest: "LLM"
腾讯CDC
Jina AI
Jina AI
The Last Watchdog
The Last Watchdog
K
Kaspersky official blog
Webroot Blog
Webroot Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Blog — PlanetScale
Blog — PlanetScale
MyScale Blog
MyScale Blog
MongoDB | Blog
MongoDB | Blog
P
Proofpoint News Feed
Recorded Future
Recorded Future
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
博客园 - 三生石上(FineUI控件)
The Cloudflare Blog

Blog of Simple Analytics

The EU wants to kill cookie banners Google is tracking you (even when you use DuckDuckGo) German court rules Meta’s tracking tech violates GDPR Closing the data gap - Simple Analytics x Usercentrics The EU-US data deal may be dead in the water You are missing 20% of your website data with GA4 How a reverse trial will push Simple Analytics to the next level Google will start tracking all your devices (WTF?) Big Tech Fails EU’s Digital Services Act: Only Wikipedia Passes the Test Meta fined $102 million by the Irish Data Protection Commission Europeans spend 575 Million hours per year clicking cookie banners The most interesting GDPR fines GDPR and fines: all there is to know Google loses key antitrust case Web Analytics for Crypto Companies Web analytics for publishers Google pulls Uno Reverse card: Rolls back decision to kill third-party cookies Privacy Monthly July 2024 Privacy Perspectives June 2024 Privacy Monthly June APRA fumbles targeted advertising Privacy Monthly May Meta loses key privacy battle Google delays cookie phase-out once again Privacy Monthly April 2024 Web Analytics and Consent Cookies 101 Privacy Monthly March 2024 German authority cracks down on cookie banners Google Tag Manager vs Google Analytics Google search alternative Data retention in Google Analytics Guide to Google Analytics and Cookie consent What are Google Analytics' identifiers? How to export data from Google Analytics Privacy Monthly February 2024 The Criteo case: a big deal for Big Tech Privacy Monthy January 2024 What the Digital Markets Act means for privacy Google Settles in $5B Incognito Mode Lawsuit Legal troubles for Adobe Analytics Web analytics for nonprofits HIPAA and mental health Why Meta subscriptions are under attack, and why it matters for privacy Privacy Monthly: December Simple Analytics AI Host analytics on Cloudflare Zaraz Add Google Analytics to Convertkit Google Analytics Pricing - Paid vs Free Road to 1 Million ARR - October update CCPA and Data Protection: all there is to know Analytics without a cookie banner Enterprise Analytics Privacy Monthly: November 2023 Delete Act: all you need to know Mobile App Tracking Under Fire The road to 1 Million ARR - September Update Privacy Monthly: October 2023 HIPAA violations First challenge to the EU-US data transfer framework Direct Marketing under GDPR Road to 1 million ARR - August Update CCPA vs CPRA: what is new? Privacy Monthly: September 2023 A/B Testing with Simple Analytics Dobbs v. Jackson ruling is a privacy mess Privacy Monthly: August 2023 What are your rights under the CCPA? When does the CCPA apply? How does the HIPAA compare to the CCPA and GDPR? Why Meta is in a world of trouble CJEU: cookie-based analytics collects sensitive data Road to 1 million ARR - July update All about the new Data Transfer Framework Road to 1 Million ARR - June update What is PHI under HIPAA? Sweden declares Google Analytics illegal Searching for GA4 Alternatives? Top 10 Reliable Options for Google Analyticss Ultimate HIPAA Compliance Checklist: Essential Steps for Healthcare Providers Privacy Monthly: June 2023 More troubles for Google Analytics The path to 1M ARR - May Update Minimal Product Analytics Facebook data transfers declared illegal Is Google Analytics CCPA-compliant? Help us with your input Cookie banners: How to stay GDPR compliant? GDPR Compliance Checklist Privacy Monthly: May 2023 Simple Analytics: Privacy-first website analytics Improve your e-commerce performance with analytics European Facebook blackout is closer than we think Know your website’s Carbon Emissions - and how to reduce it The path to 1M ARR - April 2023 How to add video tracking using Google Tag Manager? How to track form submissions using Google Tag Manager? Why is my Simple Analytics data different from Google Analytics? Debug Simple Analytics script How to Import Google Analytics Data to Simple Analytics
Data Processing Agreements
Iron Brands · 2023-06-01 · via Blog of Simple Analytics

Data processors play a vital role in the digital economy. All organizations rely on data processors in one way or another: emails, cloud services, and electronic payments would be entirely impossible without them.

In this article, we will explain exactly what a data processor and a data processing agreement are and what a data processing agreement needs to cover.

  1. What are controllers and processors?
  2. What is a data processing agreement?
  3. Why do you need a data processing agreement?
  4. Once I sign a DPA, can I disclose the data?
  5. Is my data disclosure GDPR compliant?
  6. Am I exempt from liability after signing a DPA?
  7. Conclusions

The UK Government chose Simple AnalyticsJoin them

Let’s dive in!

What are controllers and processors?

“Data controller” and “data processor” are very important notions in the GDPR and privacy law. In fact, somewhat similar notions exist in many privacy laws other than the GDPR, such as The California Online Privacy Protection Act of 2003 (CalOPPA) and similar agreements

Under the GDPR, a controller decides what personal data are processed, how they are processed, and for what purpose. In other words, it calls the shots. On the other hand, a processor handles the data on behalf of the controller and under its instructions. It is also possible for a processor to process data on behalf of another processor, which is called a sub-processor.

For instance, most web analytics services only use visitor data to give their customers insights. In such a scenario, the customer is a controller because they decide which data to collect and analyze and for what purpose. On the other hand, the analytics provider is a processor. The analytics provider often relies on sub-processors for data storage, content delivery, and such.

This sounds simple enough, but it really isn’t. There is a fair bit of a gray area between controllership and processorship, which makes some scenarios tricky to classify.

To make things more complicated, joint controllership is also possible under the GDPR. Joint controllership occurs when two or more controllers process the same data while pursuing their own goals. Joint controllers agree on how some responsibilities will be shared but do not take instructions from one another.

Here’s an example. Say a corporation decides to rely on the services of an AI firm to help with market research based on personal data from customers. The AI firm uses the data for two distinct purposes: market research and training its AI model to further improve its performance. In this case, the two businesses are joint controllers, as they both play a role in the processing while pursuing their own goals.

Google Analytics is another example. Google’s role in providing the service depends on the settings chosen by the customer (that is, the owner of the website that uses Google Analytics). If the data sharing setting is disabled, Google acts as a data processor and only uses the data collected by Google Analytics to provide the customer with analytics.

On the other hand, if data sharing is enabled by the customer, Google also uses the data to improve other services in the Google ecosystem. In that case, Google decides what to do with the data and is a joint controller along with the customer.

Two more things need to be noted. First, the notions of controller and processor only make sense when referring to personal data. You cannot be a controller or processor of non-personal data because the GDPR does not apply to such data.

Second, controller and processor are substantive notions. In other words, they entirely depend on what you do with the data instead of what you call yourself in your DPA, terms of service, and such. If you act like a controller, courts will treat you like a controller regardless of what your legal paperwork says.

What is a data processing agreement?

The GDPR only allows reliance on a processor when a contract regulates certain aspects of data processing. This contract is called a data processing agreement or DPA (not to be confused with data protection authorities, which are also shortened to DPAs).

A valid DPA needs to include certain stipulations. The processor:

  • must follow the controller’s instructions and may not process data for its own purposes
  • must process the data in a secure way
  • needs to ensure that all the staff involved in the processing are under an obligation of confidentiality
  • when possible, must assist the controller in responding to requests under the GDPR (such as access or erasure requests)
  • must erase or return personal data as soon as the service ends
  • must help the controller with certain obligations under the GDPR, including notifying data breaches and carrying out data processing impact assessments (DPIAs)
  • must be available for auditing from the controller.

A DPA is also needed when a processor engages a sub-processor. In this case, the processor needs written authorization from the controller, and the DPA with the sub-processor must preserve all the data protection obligations included in the original DPA with the controller. In other words, privacy protections cannot be diluted down the line.

That’s a lot to remember, but don’t worry: you probably won’t need to write any of this yourself. Companies acting as processors as a core part of their business typically have standard customer DPAs.

That being said, if you have a general idea of what should be in a DPA, you can skim through one and ensure everything is in place (and, of course, you can always check Article 28(3) GDPR to refresh your memory).

Why do you need a data processing agreement?

That’s all well and good, but why does the GDPR require a DPA?

Well, controllers have obligations under the GDPR. They must process data lawfully, fairly, and transparently, ensure security, respond to access requests, notify data breaches, and so on. All of these duties aim to ensure certain standards for data protection.

DPAs protect these standards when a data processor or sub-processor gets involved. They play an important role in privacy because the value chains of data processing can be quite long and complex.

In a nutshell, DPAs are not just annoying legal paperwork: they protect your data.

Additionally, a well-written DPA is helpful to the parties themselves because they can refer to it to know exactly how the data processing responsibilities are shared between them.

Once I sign a DPA, can I disclose the data?

Under the GDPR, all processing of personal data needs to respect certain rules. This also goes for disclosing personal data to a processor. So signing a DPA does not guarantee you can legally disclose the data.

For instance, you must have a legal basis for processing the data (we discussed the topic here), provide transparent information, ensure that you are relying on the right safeguards for any data transfers outside the EU, and respect the principle of data minimization (that is, only take the data you really need and handle it in the least invasive way possible).

These are only some of the criteria which, together, determine whether a disclosure of personal data is allowed under the GDPR. If you are the data controller, ensuring compliance is your responsibility. Signing a DPIA does not automatically mean that your disclosure of personal data checks all the boxes- you need to look at things from a broader perspective.

As we said, a valid DPIA is only one of many checkboxes. So what are the others?

A checklist would be of little use here. Most rules that apply to data disclosures are general rules that apply to any processing of personal data- whether that means collecting, storing, or even erasing them. That makes for a really long list because it’s nearly the entire GDPR we are talking about,

If you want to ensure the data disclosures to your processor is GDPR compliant, it is better to start from the basics instead. [Article 5 GDPR](https://gdprhub.eu/Article_5_GDPR#:~:text=Article%205(1)(d,have%20major%20effects%20on%20them.) lists all the core principles of the GDPR. The article is far more valuable than any compliance checklist we could develop because it offers a glimpse into the meaning of the GDPR.

With some understanding of the general principles, you can look at your data disclosure and start asking yourself the right questions. For instance:

  • Do I really need to disclose the data to a processor?
  • Am I only disclosing the data my processor really needs to do its job?
  • Will my processor erase the data after a reasonable time?
  • Do I know what makes the disclosure lawful? If someone asked me, would I be able to explain?

Don’t forget to also look at the disclosure from the perspective of the data subjects- that is, the people the data refer to. Your data subjects could be your customers, website visitors, or someone else who has no relationship with you at all-, for instance, the people whose personal data you are using to train an AI model.

(By the way, AIs raise very serious privacy issues. If you are training an AI model on personal data, please get privacy professionals involved from the design stage!)

Data subjects have a right to information. Did you take steps to inform the data subjects that your processor is involved? Did you provide this information in a clear and accessible way?

Data subjects can also exercise specific rights under the GDPR. For instance, they can require the controller to correct or erase their personal data or provide them access to it.

What happens if a data subject exercises one of these rights? Can you comply with the request independently, or does your processor need to get involved? Is your processor really able and willing to help you out with such requests, regardless of what your DPA says?

These are some of the questions you should ask yourself when you look at the issue from the data subject’s perspective. It is easy to focus on your organization's position and lose sight of the whole picture. But there are people behind the data, and you must put yourself in their shoes to comply with privacy law.

Am I exempt from liability after signing a DPA?

No. Signing a DPA does not make you exempt from liability. This is why relying on trusted and GDPR-compliant processors is crucial.

This does not mean that you will necessarily be held liable if something goes wrong. But under the GDPR, there is a sort of presumption that if something goes wrong privacy-wise, the controller is at fault. You can avoid liability by proving that you are not responsible for the incident, but the burden of proof is entirely on you, which is risky.

This is why large organizations thoroughly assess the compliance of their processors and document the assessment. This documented assessment is called a vendor risk assessment and serves two purposes. First, it allows the controller to ensure that the processor is reliable. Second, if something goes wrong, a well-written vendor risk assessment can help the controller prove that it did its compliance homework.

Most small businesses lack the resources and expertise to conduct vendor risk assessments. However, they can still benefit from researching their processors and ensuring they have a good reputation for compliance.

Conclusions

Privacy is not about ticking boxes off a compliance checklist. It’s about understanding the reasons behind the rules and caring about the people behind the data.

At Simple Analytics care about privacy. And unlike other companies, we really mean it. Privacy is the cornerstone of Simple Analytics rather than mere coat paint. We built our software to provide organizations with all the insights they need to optimize their websites and campaigns without using visitors' personal data. If this sounds good to you, feel free to give us a try!