In order to delegate the processing of personal data to a processor the controller has to conclude a Data Processing Agreement (DPA) with the respective processor. More and more of these DPAs can now be concluded online by simply ticking a box, no signature required.
However, such online DPAs raise a number of legal questions: Is the form required by the General Data Protection Regulation (GDPR) adhered to? Does there have to be a proactive declaration of consent by the parties? What other legal issues arise? How can Standard Contractual Clauses (SCCs) be included in these DPAs? In this article, we will provide you with answers to these questions and show you what online DPAs should look like.
Is a proactive declaration of consent required when concluding (online) DPAs?
DPAs are contracts concluded between data controllers and external service providers (data processors) that process personal data for the controller. Since DPAs are regular contracts, the requirements of (national) contract law must be complied with in order for them to be effective.
Some specifics on the content and form of DPAs can also be found in the GDPR (Art. 28). According to Article 28 (9) GDPR DPAs should be concluded, “in writing, including the electronic form”. This wording leaves some room for interpretation. The words “electronic form” do not indicate whether a proactive declaration of consent by the parties is required. As the GDPR is silent upon this point, one must examine (national) contract law for guidance. If the GDPR were to contain any deviating, and thus overriding, provisions in this respect one would not be able to fall back upon (national) contract law.
Under most (national) contract laws, the contracting parties must actively agree to a contract for it to be valid. Merely seeing or taking note of the DPA is unlikely to be sufficient to conclude it. A proactive declaration of consent is therefore likely needed for DPAs in most EU Member States.
What form is required for DPAs under the GDPR?
What remains unclear is what is actually meant by “electronic form” within the meaning of Art. 28 (9) GDPR.
As the matter is expressly governed by the GDPR the requirement that a DPA be in writing, including the electronic form, must be interpreted without recourse to national laws. This also aids in a uniform application throughout Europe.
This means it is not restricted to being an electronic contract to be signed, but may also be a webpage which provides for the simple tick of a box. Both these scenarios qualify as being electronic and written in terms of European law.
Is a signature required for DPAs, and if so, what kind?
Some argue that the electronic form referred to in Article 28 (9) GDPR must have the same evidential value as a written document that includes original, handwritten signatures. Accordingly, it is argued that even electronic DPAs must be signed, and only the use of a qualified electronic signature can fulfil this requirement for electronic DPAs. A qualified electronic signature is an advanced electronic signature as defined in European legislation (eIDAS Art. 3). It is, “created by a qualified electronic signature creation device, (…) which is based on a qualified certificate for electronic signatures” (eIDAS Art. 3(12)). It is equivalent in evidential value to a handwritten signature, but requires many hoops to be jumped through before becoming operational. A list of providers is provided by the European Commission here.
The prevailing opinion understands Art. 28 (9) GDPR to mean that DPAs can also be concluded without an electronic, qualified electronic, or handwritten signature. The main argument in favour of this view is based upon the purpose of the provision. In order to be able to take advantage of online services, and in particular cloud computing where commissioned processing is very often used, it should be possible to conclude these contracts electronically without any signatures. It is argued that there are no increased requirements for evidential purposes, so that the contract can also be concluded by e-mail, or by filling out forms and clicking on prepared declarations.
A balanced approach between both extremes suggests that the declarations of consent to a DPA have to be provided in a durable format or for download (e.g. a PDF file). The supporters of this balanced view base it upon case law, which stated that a simple e-mail or HTML page was not sufficient in connection with electronically submitted revocation notices. Instead, these had to be provided in a durable format or be made available for download.
Even though these cases are only comparable to a certain extent, it is advisable to provide the declarations of consent to the DPA in a durable format to the recipient. This increases the ability to prove that the DPA is in force and can prevent subsequent manipulation.
In order to avoid difficulties in demonstrating that the contract is in force, the European Data Protection Board (EDPB) has recommended (page 31) ensuring that the necessary signatures are included in a DPA, “in line with applicable law”. Thereby indicating that it is up to national law to determine whether a signature is necessary and, if so, what kind of signature.
A practical approach could be to provide for, at least, electronic signaturesHowever, in this context the question arises as to how provable it is that an electronic signature was actually inserted by the person who is authorised to conclude the DPA, e.g. the CEO of the company. Electronic signatures are usually scans of the original signature or signatures that are created digitally. Both can be copied easily and therefore also be used by unauthorised persons. Therefore, these digital signatures have limited evidential value in court.
Ultimately, including original or qualified electronic signatures is the most reliable way to ensure that the contract has been concluded by the authorized individuals, and to be able to prove that the DPA is in force.
If you decide to use electronic signatures or simple tick boxes to conclude a DPA, you should keep in mind that this involves a certain risk in terms of proving that the contract is in force. Contracts signed by persons unauthorized to do so are invalid.
What form is required for the DPA if Standard Contractual Clauses are used or included?
According to Art. 28 (7) GDPR the EU Commission may “lay down standard contractual clauses” for such DPAs. The EU Commission laid down such standard contractual clauses on the 4 June 2021 and termed them “Standard contractual clauses for controllers and processors in the EU/EEA”. These clauses provide a standardized template for DPAs in the EU/EEA, setting out the rights and obligations of the respective parties to DPAs and, if used correctly, are intended to ensure GDPR compliance.
The EU Commission also laid down another set of standard contractual clauses on the 4 June 2021: the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679. These SCCs may be used to facilitate third country transfers unlike the Standard contractual clauses for controllers and processors in the EU/EEA.
Confusingly enough these new SCCS for third country transfers may also either be used as a DPA (they meet all requirements stipulated in Art. 28 GDPR), or be incorporated into a DPA. When you use either of the SCCs, you enter into a regular contract, which must be concluded in accordance with (national) contract law in order to be effective. In this context, the question arises again as to the form in which either of the SCCs can be concluded and, in particular, whether a physical form and/or original signatures are required.
Relevant data protection law does not regulate the form of either of the new SCCs. However, Annex I of both of the new SCCs, in which the contracting parties should be listed, explicitly provides for a signature. Whether it is mandatory and if it has to be handwritten or electronic is unclear from the SCC’s text. In a recently published Q&A regarding the new SCCs the EU Commission has now clarified that it deems signatures necessary for the conclusion of SCCs, but that the formal requirements regarding signatures are intentionally left unresolved in the SCCs. Signatures are therefore required for both types of SCCs, regardless of whether these are to be used as a DPA or just to facilitate a data transfer. According to the Commission the formal requirements for such signatures (i.e., if these have to be handwritten or not) are governed by national contract law (Number 6 Q&A).
If including either of the new SCCs in a DPA, or using either of the new SCCs as a DPA, a practical, cautious approach is to always include original signatures or qualified electronic signatures. These would meet the requirements of most, if not all, national contract laws in the EU. This is also advisable to ensure that you are able to prove that the contract is in force.
If you want to use only electronic signatures it is essential to check whether this is permissible under the relevant national contract law. A mere tick of a box may not be sufficient in the relevant Member State.
Is it sufficient to provide a link to the SCCs to include them into a DPA?
Many companies decided to incorporate the SCCs for third country transfers by reference in their DPAs, instead of attaching the extensive text of the SCCs to the agreements. This approach has been confirmed as acceptable by the EU Commission in its Q&A (Number 8).
However, a number of clauses of the new SCCs for third country transfers require choices to be made by the parties. The contracting parties must ensure that they actually make the choices the SCCs require them to make when including the SCCs only by reference.
Furthermore, the contracting parties must ensure that the information required by the annexes to the SCCs for third country transfers is included in the respective DPA. This can, for example, be done by adding annexes to the DPA that specify the categories of personal data to be processed and transferred, processing purposes, retention periods, technical and organizational measures and so on, as required to be set out in the annexes of the SCCs for third country transfers. Moreover, the contact information of the contracting parties, including their addresses, must also be included.
Lastly, the signature requirement above must also be taken cognizance of and the guidance of the EU Commission in its Q&A regarding changes to the SCCs or contradictions to them (Number 8).
Conclusion: Online DPAs are permissible under the GDPR
Ultimately, is it permissible under the GDPR to conclude DPAs (without SCCs) online. Hereby, Art. 28 (9) GDPR does not require you to include original signatures or qualified electronic signatures. However, you should ensure that the electronic contract has at least a certain evidential value. Therefore, you should at least use a durable format (like a PDF) when concluding DPAs online, which then can be submitted or downloaded. Moreover, the controller’s address as well as the date of conclusion should be included in an online DPA.
Irrespective of the requirements of Art. 28 (9) GDPR, we would advise you to include original signatures or qualified electronic signatures when concluding DPAs. This enables you to prove that the contract has been concluded by an authorised person, and that the DPA is in force.
If either of the SCCs are used as a DPA or are included in a DPA, you must include signatures. Here, we would also advise you to use handwritten or qualified electronic signatures, as these are accepted under most, if not all, national contract laws of the EU and EEA. If you wish to use electronic signatures instead, it is important to make sure that this is permissible under the relevant national contract law.