Frequently asked questions about the data processing agreement
Why do I need a data processing agreement (DPA)?
A DPA (abbreviation for data processing agreement) is legally required by Article 28 GDPR (General Data Protection Regulation) when an organization has personal data processed “on behalf” by another organization. Processing on behalf within the meaning of the GDPR exists if one party “determines the means and purposes of the processing” and the contractor only does with the data what the client wishes.
Ultimately, this means everything that a traditional company would have done internally, but today hands over to service providers (outsourcing). In other words, services such as hosting, administration and maintenance, mail-order printing services (lettershop), accounting, and a wide range of services that are now available as software-as-a-service (SaaS) offerings.
The provision of the OpenProject Cloud services as a SaaS solution is a classic order processing. OpenProject has therefore automatically included its DPA in the contractual relationship with its customers via the general Terms of Service (there in Section C § 8), so that a DPA contract is concluded in any case and no additional steps are necessary for this.
Can the contracting parties decide whether to conclude a DPA?
No, in every constellation that is a commissioned processing within the meaning of the GDPR, therefore such a contract must be concluded pursuant to article 28 of the GDPR. This obligation applies to the client as well as to the contractor.
Typically, contractors provide a contract because they are better able to describe the subject matter of the contract and appropriately describe the data security measures. OpenProject provides its customers by default with a DPA, which automatically becomes part of the contract via section C § 8 of the Terms of Service. Thus, no further steps are required for completion.
Does a DPA have to be signed or in be paper form?
No, a DPA contract only has to be available in text form. A handwritten signature or an equivalent electronic signature in accordance with the relevant signature regulations is not required.
It is important that the text of the DPA is included in the conclusion of the contract by the parties. A DPA does not have to be a stand-alone contract between the parties; it can be integrated into the service contract between the parties via the general Terms of Service, as it is done for OpenProject.
What does a DPA have to contain?
A DPA comprises a collection of legal agreements that are largely prescribed by Article 28 of the GDPR. In order to simplify the conclusion of standard DPA, the EU Commission has provided a Standard contract. OpenProject does work with the EU standard DPA. This simplifies the review of the contract content for OpenProject customers.
These standard agreements require attachments with specific details of the contractual relationship. OpenProject states the description of the subject matter of the contract at the end of its DPA. The description includes the type of data processing, the categories of data and the categories of data subjects.
The required compilation of sub-processors is available as a stand-alone overview. The overview also states the purposes for what the sub-processors are used and whether their involvement results in a so-called third country transfer.
Another appendix describes the Technical and Organizational Data Security Measures (TOMs) that are to be agreed upon to guarantee data protection and data security.
What applies in case of a change of sub-processors?
OpenProject is generally allowed to change sub-processors according to clause 7.7 of the DPA.
If a new sub-processor is to be added or to replace a previous one, OpenProject must inform the client of this in advance. The integration of a new sub-processor is considered approved if a client does not object within two weeks after the corresponding information.
What applies when changes are made to the TOMs?
OpenProject may modify the TOMs (Technical and Organizational Data Security Measures) without consulting with the customer if the changes do not negatively affect the integrity, confidentiality and availability of the processed data.
Changes that may affect the integrity, confidentiality or availability of the personal data processed by OpenProject must be coordinated with the clients in advance. For this purpose, the reservation of Right to Make Amendments in Section A § 9 of the Terms of Service shall apply.
Do church institutions have to conclude a specific DPA?
No, church institutions can enter into standard agreements with organizations that are not as themselves subject to church data protection law, to conclude their standard DPA in accordance with the GDPR.
Organizations that are subject to the Data Protection Act of the Church of Germany (DSG-EKD), however, must require in accordance with § Section 30 (5) sentence 3 DSG-EKD a declaration from the contractors that they are subject to the data protection supervision by the church. OpenProject has included such a declaration of submission in Part C § 8 of its Terms of Service, so that Protestant institutions do not need to request an additional declaration from OpenProject. The collaboration can start immediately.
For Catholic institutions, Section 29 (9) of the Church Data Protection Act (KDG) stipulates that a DPA must be in writing, in the sense of §§ 126 ff. BGB (German Civil Code). In other words: for use by Catholic institutions, the agreement must be signed by hand or via appropriately qualified electronic signatures. Catholic institutions are asked to contact the OpenProject support for this purpose.
Do professional secrecy carriers have to conclude special DPAs?
Professional secrecy holders are persons and institutions that fall under the special confidentiality obligations pursuant to § 203 StGB (German Criminal Code). These are, for example, doctors, lawyers, tax advisors and some other professions and types of law mentioned types of counseling centers on sensitive topics such as abortion or addiction help.
Professional confidentiality officers may be liable to prosecution if they unlawfully disclose information from the lives of persons seeking help. This may include even the statement that a person has made contact with a professional secrecy holder.
Professional secrecy holders can also make use of SaaS service providers as so-called contributors. As far as this concerns data processing on behalf of a third party, a standard DPA is sufficient - if you only look at the GDPR. However, via Section 203 (4) sentence 2 of the German Criminal Code (StGB), the professional secrecy providers are obliged to explicitly oblige their contributors - i. e., also their SaaS service providers - to be punishable under Section 203 (4) sentence 1 of the German Criminal Code (StGB). If a professional secrecy provider does not oblige its service providers to comply with Section 203 of the German Criminal Code (StGB), it may be liable to prosecution for this omission alone.
OpenProject assures this for the professional secrecy holders among its customers via the Terms of Service. OpenProject has committed its employees to the liability according to § 203 StGB.
When do I not need a DPA?
As soon as the service provider or business partner has its own interests in the processing of the data, there is no data processing. Accordingly, it is not necessary to conclude a DPA in these cases.
All consulting professions have such interests of their own, as they use the data to form their own picture of the situation and make their own assessments. This applies, for example, to lawyers, tax advisors, doctors, architects, but but also management consultants, design and marketing consultants.
Another restrictive criterion for data processing is that the processing of personal data must not only be a secondary ancillary service. A typical example: cleaners who empty wastebaskets regularly process data within the meaning of the GDPR - but this is purely an ancillary service, because the cleaners should not care what is written on the papers.
Likewise, no DPA is required if the data processing falls under telecommunications law or banking law. Telephone providers and banks process personal data as a main service and, with regard to the exact contents actually also not in their own interest - but as regulated industries, they are obligated to comply with certain obligations to provide evidence that justify their own interest in data processing.
A DPA does not have to be concluded if both parties have their own interests in the processing of personal data of third parties. In such cases, however, the conclusion of an agreement on shared responsibility pursuant to Article 26 GDPR may be required.
When does the DPA end?
The DPA is a legal prerequisite for the use of SaaS services. Accordingly, the term of the DPA corresponds to the term of the service contract and is linked to its termination rights.