India has become a significant hub for SaaS and cloud services, fostering a dynamic ecosystem of startups that offer specialized cloud solutions across diverse industry segments. When engaging with clients within the European Union jurisdiction (“EU”), it is essential for these companies to fully understand the General Data Protection Regulation framework (“GDPR”), its implications, and the responsibilities that arise when an Indian entity functions as a data processor.
In cases where an EU-based information technology company outsources data processing activities to an Indian service provider, it is mandatory for the Indian company not only to execute a Master Service Agreement but also to sign a Data Processing Agreement (“DPA”).
This article highlights key provisions within the DPA to mitigate potential risks and address challenges specific to service providers operating out of India, ensuring compliance and reducing exposure to unforeseen liabilities.
GDPR Framework and the Necessity of a Data Processing Agreement (DPA)
Article 35 of the GDPR obligates that the Data Controller, a juristic or non-juristic person, who alone or jointly with other determines the purpose and the means of processing of the personal data, to carry out the Data Protection Impact Assessment (“DPIA”) when a type of processing, particularly those involving new technologies, is likely to pose a high risk to the rights and freedoms of natural persons. This assessment must be carried out before initiating the processing and should take into account the nature, scope, context, and purposes of the processing.
The Data Controller bears the responsibility to implement essential precautionary measures and steps to ensure strict adherence to the GDPR and the robust protection of processed personal data. Key considerations include:
(i) Due Diligence: Conduct comprehensive due diligence to evaluate the data processor's capacity to meet GDPR framework standards, including their technical and organizational data protection measures.
(ii) Data Processing Agreement: Establish a legally binding DPA as mandated by Article 28 of the GDPR. This agreement should clearly outline the nature, scope, purpose, duration, and rights and obligations of both parties involved in the processing activities.
(iii) Adequate Safeguards: Ensure the implementation of appropriate safeguards for the transfer of personal data from the EU to India, a third country without an adequacy decision. This may involve the utilization of mechanisms such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs, which is applicable in case of multinational organizations adopt to allow data transfers within the same corporate group to entities located in third countries).
(iv) Sub-processor Assessment: Verify if the Indian data processor intends to engage sub-processors and ensure that similar contractual safeguards are extended to them. The Data Controller should retain the right to approve or reject any proposed sub-processors.
(v) Compliance Monitoring: Implement a robust system of ongoing monitoring and regular audits to verify the data processor's continued compliance with GDPR requirements throughout the entire engagement.
(vi) Risk Assessment: Conduct a thorough risk assessment, potentially through a Data Privacy Impact Assessment, to identify and mitigate any potential risks associated with the processing activities.
As per GDPR Article 28(3), a legally binding contract must be in place between the data controller and the data processor. The agreement must address the key elements mentioned below:
(i) Subject Matter and Duration of Processing: Specifies what the processing entails and how long it will last.
(ii) Nature and Purpose of Processing: Clarifies the type of data processing activities and their intended purpose.
(iii) Types of Personal Data: Identifies the categories of personal data to be processed.
(iv) Obligations and Rights of the Controller: Defines the responsibilities and entitlements of the data controller in relation to the processing activities. Therefore, the Processor and the Controller are obligated to establish a DPA. This requirement also ensures that the Data Controller appoints only those data processors who can provide sufficient guarantees to implement appropriate technical and organizational measures in compliance with GDPR.
It is important to note that the percussor step of DPA is DPIA which is an obligation of the Data Controller.
Furthermore, it is important to note that if personal data belonging to EU citizens is to be processed outside the European Economic Area (EEA), the Data Controller is obligated to first conduct a Transfer Impact Assessment (TIA) and ensure that the transfer meets the conditions imposed by the GDPR.
A TIA is required under the GDPR when personal data is transferred from the EEA to a third country that does not benefit from an adequacy decision by the European Commission. The TIA is part of ensuring that appropriate safeguards are in place to protect the data during international transfers, as mandated by Articles 44 to 49 of the GDPR.
Key Scenarios Requiring a TIA:
a) Use of Non-EEA Service Providers: When engaging data processors or service providers located outside the EEA.
b) Data Transfers for Business Operations: When transferring personal data to a parent company, subsidiary, or partner located in a third country without an adequacy decision.
c) Cloud Services and Hosting: Using cloud or data hosting services based in jurisdictions outside the EEA.
Key Obligations of Data Controller as per the GDPR to be captured in the DPA.
Given the obligations imposed on the Data Controller, it is essential to negotiate key terms with the Data Controller, including the following: 1. Representations and Warranties: It is crucial for the Data Controller to provide appropriate representations and warranties to ensure that it has the authority to outsource the processing of personal data and has conducted or will conduct a suitable Data Protection Impact Assessment. The Data Controller should make the following representations and warranties:
Authority and Compliance: The Data Controller should provide appropriate representations and warranties, confirming that EU applicable laws do not prohibit, prevent, or restrict the Data Controller from outsourcing the processing of personal data, issuing instructions to the Data Processor, and fulfilling its obligations under the Data Processing Agreement
Lawful Basis and Consents: The Data Controller should additionally represent and warrant that it will remain compliant with relevant EU laws, secure any necessary consents or provide required notices—particularly for special categories of personal data—and establish a lawful basis for disclosing personal data to the Data Processor for the intended processing.
Security Measures: It is the responsibility of the data controller to evaluate the requirements under applicable EU laws and determine the necessary security measures to be implemented by the processor. Accordingly, the data controller must specify any security measures to the processor. In this context, the data controller should provide an appropriate representation and warranty, affirming that they have completed their assessment of the security measures and that the standards suggested or provided are comprehensive. Additionally, it is the data controller's duty to inform the data processor in advance of any changes required by law.
Transfer Impact Assessment: it is important to note that data controller should provide a representation and warranties for TIA stating that (i)there is a lawful basis for transferring personal data outside the EEA, (ii) assessment of risk - comprehensive Transfer Impact Assessment has been conducted to identify and evaluate the risks associated with transferring personal data to a third country, with assurances that these risks have been managed or mitigated, (iii) implementation of safe guard - appropriate safeguards, such as Standard Contractual Clauses or Binding Corporate Rules, have been implemented to protect the transferred data effectively, (iv) it has assessed the legal environment of the recipient country, confirming that local laws do not compromise the safeguards established for data protection, (iv) it will continuously monitor the legal and regulatory framework in the recipient country and promptly notify the Data Processor of any developments that could impact data protection, (v) to informing the Data Processor of any changes to the risk assessment or new risks identified that may affect processing activities, (vi) the minimum amount of personal data necessary for processing will be transferred, adhering to the GDPR principle of data minimization, (vi) the Transfer Impact Assessment will be reviewed and updated periodically or whenever significant changes occur in processing activities or the legal landscape of the third country.
A well-defined and robust framework of standard operating procedures within the DPA is essential for mitigating the risk of non-compliance by the Data Processor. This framework ensures that the Data Processor is fully aware of the compliance requirements and clearly outlines the operational coordination points, including scenarios where the burden of responsibility may appropriately shift to the Data Controller.
Conclusion
Negotiating a robust DPA is crucial for cloud service providers operating in India, especially when dealing with personal data under the stringent requirements of the GDPR. As the GDPR framework imposes significant responsibilities on both the data controller and data processor, a well-drafted DPA can serve as a critical tool in ensuring compliance, mitigating risks, and protecting data subjects' rights. It is essential for Indian service providers to be aware of their obligations, conduct due diligence, and establish clear terms that address data protection, security measures, and lawful data transfers. Furthermore, conducting assessments such as the DPIA and TIA remains pivotal for the data controller to secure the legitimacy of data processing and transfers. By proactively understanding and incorporating these obligations into agreements, Indian service providers can strengthen their GDPR compliance posture and foster trustworthy partnerships with EU-based clients, navigating the complexities of international data privacy with greater assurance.
Comments