Data Processing Agreements under the LGPD

Data Processing Agreements (DPAs) are an important tool that help companies to regulate the processing of personal data entrusted to external entities like vendors, suppliers, business partners. They are usually signed in the context of services provided by third-parties on behalf and under the instructions of the data controller.

The Brazilian Data Protection Law (LGPD) mandates that controllers provide clear instructions to data processors with regard to the processing of personal data. Signing a DPA is the best alternative to achieve this purpose as it regulates – in a structured way, especially in case of large corporate groups – all the obligations and rights related to data protection. Moreover, this instrument also enables the controller to better protect itself in the event of a breach of contractual or legal obligations by the external provider while processing personal data on its behalf.  

The main purpose of these agreements is therefore to enable the data controller to provide the processor with the most precise instructions on the purposes and means on how the personal data should be processed.

The main points that are addressed in DPAs

• A careful description of the personal data processing activities carried out by the processor. Therefore, the following must be defined first : Description of the processing activity performed, its purpose, as well as the categories of personal data and data subjects involved. Likewise, it is essential to clearly state any transfers of personal data beyond national territories and the presence of any sub-processors involved in the processing.
   
• A precise and descriptive list of the technical and organizational security measures that the processor is obliged to ensure in order to protect the controller's personal data.
   
• It is also crucial to precisely define the obligations to which the data processor is bound. In addition to the general obligation to act in accordance with the LGPD, this also includes the confidentiality obligation towards employees, the obligation to collaborate with the controller in the event of a data breach, and the support and documentation to respond to specific requests from Data Protection Authorities or data subjects.

DPAs help companies to establish procedures ensuring the compliance with data protection laws, also in line with the accountability obligation imposed by the LGPD on controllers and processors (Both the data controller and the data processor must be able at all times to demonstrate the adoption of effective measures and compliance with data protection rules, including the effectiveness of these measures).

At FIRST PRIVACY we assist with the preparation of DPAs considering the legal requirements and the strategic needs of the business. We support your company in different stages, from the analysis of the service, to the drafting of the document and the assessment of the adequacy of the security measures guaranteed by third-parties.