Data Processing Agreements

Introduction

Article 28 of the GDPR requires that when a controller uses a processor, there must be a contract (Data Processing Agreement or DPA) in place that sets out specific terms. This is a fundamental requirement for GDPR compliance when using any service that processes personal data on your behalf.

Controller vs Processor

Data Controller

Definition: The entity that determines the purposes and means of processing personal data.

Role: Makes decisions about:

• What data to collect
• Why to collect it
• How to use it
• Who to share it with
• How long to keep it

Your Role: When using Emily Helps, your parish or diocese is typically the data controller.

Responsibilities:

• Determine legal basis for processing
• Provide privacy notices
• Respond to data subject requests
• Ensure processors comply with GDPR
• Conduct DPIAs when required
• Report breaches to supervisory authority

Data Processor

Definition: The entity that processes personal data on behalf of the controller.

Role: Processes data according to the controller’s documented instructions.

Emily Helps Role: Emily Helps acts as a data processor, processing your parish data according to your instructions.

Responsibilities:

• Process only on documented instructions
• Ensure staff confidentiality
• Implement appropriate security measures
• Engage sub-processors only with approval
• Assist with data subject rights
• Assist with security and breach obligations
• Delete or return data at end of contract
• Maintain records of processing
• Cooperate with supervisory authorities

Sub-Processors

Definition: A processor engaged by another processor to carry out specific processing activities.

Example: Emily Helps uses hosting providers (like Hetzner) as sub-processors.

Requirements:

• Must have controller’s authorization
• Subject to same obligations as main processor
• Main processor remains liable to controller

Required Contract Terms

Article 28(3) Mandatory Clauses

A compliant DPA must include:

1. Subject Matter and Duration

• What processing activities will be performed
• Types of personal data involved
• Categories of data subjects
• Duration of processing (contract term)

2. Nature and Purpose

• Purpose of the processing
• Nature of the processing activities
• Context of the processing

3. Controller Instructions

• Processor acts only on documented instructions
• Process of providing instructions
• What to do if instructions appear unlawful
• Right to request additional information

4. Confidentiality

• Processor ensures staff confidentiality
• Staff training on data protection
• Confidentiality obligations survive contract termination

5. Security Measures

• Technical and organizational security measures
• Appropriate to the risk
• Regularly reviewed and updated
• Aligned with Article 32 requirements

See: Data Security Measures

6. Sub-Processors

• Controller’s authorization for sub-processors (specific or general)
• Notification requirements for new sub-processors
• Opportunity for controller to object
• Processor remains liable for sub-processors
• Same data protection obligations flow down

7. Data Subject Rights

• Processor assists controller in responding to:
  • Subject access requests
  • Rectification requests
  • Erasure requests
  • Restriction requests
  • Data portability requests
  • Objections to processing

See: Data Subject Rights

8. Assistance with Compliance

• Assist with security obligations
• Assist with breach notification
• Assist with DPIAs
• Assist with consultations with supervisory authority

9. Data Deletion or Return

• At end of contract, delete or return all personal data
• Include copies of data
• Unless required by law to retain
• Provide certification of deletion

10. Audit and Inspection

• Make information available to demonstrate compliance
• Allow and contribute to audits and inspections
• Conducted by controller or auditor

11. International Transfers

• If transfers to third countries, specify safeguards
• Standard Contractual Clauses (SCCs)
• Adequacy decisions
• Other approved mechanisms

Emily Helps Data Processing Agreement

Our DPA

Emily Helps provides a comprehensive DPA that includes all required GDPR terms and is available:

• As part of the terms of service
• Signed at account setup
• Available in your account dashboard
• Updated periodically (with notification)

Key Terms

Subject Matter:

• Parish management system
• Sacramental record keeping
• Event and volunteer management
• Communications management
• Financial record keeping

Duration:

• Duration of service agreement
• Plus data retention period specified

Controller Instructions:

• Your use of the system constitutes instructions
• System configuration determines processing
• Support requests may include specific instructions
• Emergency procedures for unlawful instructions

Security:

• See detailed security measures in Data Security
• ISO/IEC 27001 aligned
• Regular security assessments
• Continuous monitoring

Sub-Processors:

• List of current sub-processors available
• 30-day notice of new sub-processors
• Right to object to new sub-processors
• Alternative solutions if objection raised

Current Sub-Processors:

• Hetzner (Germany) - Infrastructure hosting
• [Other sub-processors listed in service agreement]

Breach Notification:

• Notification without undue delay
• All information required to assess and respond
• Assistance with investigation and remediation

Data Subject Rights:

• Self-service tools for data access and export
• Deletion workflows
• Rectification capabilities
• Support team assistance available

Data Return/Deletion:

• 30-day data retention after termination
• Export tools available during notice period
• Certified deletion after retention period
• Exception for legal retention requirements

Audit Rights:

• Annual compliance reports provided
• Third-party audit summaries available
• On-site audits (with reasonable notice and conditions)
• Remote audits via documentation review

Signing the DPA

The DPA is incorporated into your service agreement:

1. Review DPA during account setup
2. Accept terms electronically
3. Copy provided in account dashboard
4. Updated version notification via email

Controller-to-Controller Relationships

When You Share Data with Others

When you share personal data with another organization that determines its own purposes for processing, they are also a controller. This requires:

Not a DPA: You don’t need a DPA (this is controller-to-controller)

What You Need:

• Legal basis for the disclosure
• Privacy notice mentioning the sharing
• Possibly consent from individuals
• Agreement on respective responsibilities
• Understanding of their processing purposes

Examples:

• Sharing data with diocese for canonical purposes
• Reporting safeguarding concerns to authorities
• Sharing with other parishes for inter-parish activities
• Tax authorities for gift aid purposes

Joint Controllers

If two organizations jointly determine purposes and means:

Requirements:

• Joint controller agreement
• Transparent allocation of responsibilities
• Respect for data subject rights
• Independent liability under GDPR

Example: Two parishes organizing joint programs

Your Responsibilities as Controller

When Using Emily Helps

1. Determine Lawful Basis

   • Identify legal basis for each processing activity
   • Document your legal basis decisions
   • Communicate legal basis in privacy notices

2. Provide Privacy Information

   • Create and maintain privacy policy
   • Provide privacy notices at data collection
   • Include required information about Emily Helps as processor

3. Configure System Appropriately

   • Set appropriate retention periods
   • Configure security settings
   • Enable necessary features only
   • Manage user access properly

4. Manage User Access

   • Grant appropriate permissions
   • Regular access reviews
   • Disable accounts when no longer needed
   • Monitor for unauthorized access

5. Respond to Data Subject Requests

   • Use Emily Helps tools to facilitate requests
   • Verify identity of requestors
   • Meet response deadlines
   • Document request handling

6. Report Breaches

   • Investigate suspected breaches
   • Report qualifying breaches to supervisory authority
   • Notify affected individuals when required
   • Notify Emily Helps of any breaches

7. Review Sub-Processors

   • Review Emily Helps sub-processor list
   • Exercise objection right if concerned
   • Document approval decisions

8. Maintain Records

   • Records of processing activities
   • DPIAs for high-risk processing
   • Compliance documentation
   • Training records

When Engaging Your Own Processors

If you use other processors (not through Emily Helps):

1. Assess the Processor

   • Evaluate their security measures
   • Check compliance credentials
   • Review their DPA
   • Assess reputation and reliability

2. Negotiate DPA

   • Ensure all Article 28(3) terms included
   • Clarify scope and limitations
   • Define security requirements
   • Establish breach notification procedures
   • Include audit rights

3. Document Authorization

   • Record decision to use processor
   • Document why processor was chosen
   • Keep signed DPA on file
   • Maintain list of all processors

4. Monitor Compliance

   • Regular reviews
   • Request compliance reports
   • Exercise audit rights
   • Monitor for security incidents
   • Review sub-processor changes

5. Manage Changes

   • Approve new sub-processors
   • Review contract updates
   • Assess impact of changes
   • Update your records

Common DPA Issues

Issue: Processor Claims No Liability

Problem: Some processors try to exclude or limit liability

GDPR Position: Processors are directly liable under GDPR

Solution:

• Insist on appropriate liability terms
• Check processor has adequate insurance
• Consider this in risk assessment
• May need indemnity provisions

Issue: Standard Terms Don’t Include GDPR Requirements

Problem: Existing contracts pre-date GDPR or are not GDPR-compliant

Solution:

• Request GDPR-compliant DPA addendum
• Don’t rely on inadequate terms
• Review and update before renewal
• May need to switch processors if they won’t comply

Issue: Unclear Controller/Processor Roles

Problem: Confusion about who is controller vs processor

Solution:

• Analyze who determines purposes and means
• Document the relationship clearly
• If both are controllers: joint controller agreement
• If doubt: seek legal advice

Issue: No Visibility of Sub-Processors

Problem: Processor won’t disclose sub-processors

Solution:

• Insist on disclosure (GDPR requirement)
• List must be available to you
• You have right to object
• This is non-negotiable under GDPR

Issue: International Transfers

Problem: Processor uses sub-processors outside EU/EEA

Solution:

• Ensure appropriate safeguards in place
• Standard Contractual Clauses (SCCs)
• Check for adequacy decisions
• Additional measures may be needed
• Document transfer mechanisms

International Data Transfers

GDPR Requirements

Transfers outside EU/EEA require:

Option 1: Adequacy Decision

EU Commission has determined the third country ensures adequate protection

Examples: UK (post-Brexit), Switzerland, Japan, etc.

Option 2: Standard Contractual Clauses (SCCs)

Use EU Commission approved contract clauses

Current Version: SCCs adopted June 2021

Requirements:

• Implement approved SCCs
• Conduct transfer impact assessment
• Implement supplementary measures if needed
• Document compliance

Option 3: Binding Corporate Rules (BCRs)

Approved internal policies for multinational organizations

Option 4: Derogations

Specific situations permitting transfer (limited use):

• Explicit consent
• Necessary for contract performance
• Important public interest
• Legal claims
• Vital interests

Emily Helps International Transfers

Primary Processing:

• Hosted in Germany (Hetzner, Nuremberg)
• No transfer outside EU/EEA for primary hosting

Sub-Processors:

• List of any sub-processors outside EU/EEA
• Safeguards implemented (SCCs, adequacy decisions)
• Regular review of transfer mechanisms

Support:

• Support staff may be located outside EU/EEA
• Limited access for support purposes only
• Subject to strict access controls and SCCs

Reviewing Your DPAs

Regular Review Checklist

• All Article 28(3) terms included
• Security measures appropriate to risk
• Sub-processor terms adequate
• Breach notification terms clear
• Data return/deletion terms satisfactory
• Audit rights included
• Liability terms fair
• International transfer safeguards (if applicable)
• Signed and dated
• Both parties have copies
• Regular review schedule established

When to Review

• Before signing new processor agreements
• Annually for existing agreements
• When processor proposes changes
• When your processing changes significantly
• After security incidents
• When GDPR guidance updates
• Before contract renewal

Red Flags

Watch for:

• Processor won’t share sub-processor list
• No security measures specified
• Processor claims no GDPR obligations
• No breach notification terms
• Can’t audit or verify compliance
• Unclear data deletion procedures
• Unlimited data retention
• Inadequate transfer safeguards

Best Practices

1. Don’t Skip the DPA: Every processor relationship needs one
2. Read Before Signing: Don’t just accept standard terms
3. Maintain a Register: Track all your processor relationships
4. Review Sub-Processors: Know who actually processes your data
5. Test Data Return: Make sure you can actually get your data back
6. Monitor Compliance: Don’t just sign and forget
7. Plan for Termination: Know what happens to data at contract end
8. Document Everything: Keep records of all processor assessments
9. Update Regularly: Review when circumstances change
10. Get Legal Advice: For complex or high-risk processing

Related Documentation

• Data Protection Principles
• Legal Basis for Processing
• Data Security Measures
• Data Breach Management

Resources

Templates

• DPA checklist
• Processor assessment form
• Sub-processor approval form
• Records of processor relationships

Emily Helps DPA

• Available in account dashboard
• Terms of service section
• Contact support for questions
• Legal team available for clarification

Further Reading

• ICO Guide to Contracts and Liabilities
• EDPB Guidelines on Processors
• Standard Contractual Clauses (2021)
• Article 29 Working Party Opinion on Processors

---

Last updated: October 2025