Should a data processing agreement be entered into with an external DPO?
Due to the numerous different legal interpretations, I would like to request clarification from the Personal Data Protection Office’s website on the following issue: when entering into a contract with an external data protection officer, should the data processing agreement set forth in Article 28 of the GDPR be used?
The performance of the DPO's tasks by a person who is not a controller's employee should be on the basis of a service contract that is not a data processing agreement.
Article 37(6) of the GDPR explicitly indicates that the DPO may perform his or her tasks on the basis of a service contract, i.e. he/she does not have to be an employee of the controller. It is therefore permissible to outsource this function, with the subject of the contract with the officer not being the controller’s tasks, but the tasks indicated in Article 39(1) of the GDPR.
A service contract to perform the tasks of the DPO will not be a data processing agreement. The necessity to conclude a data processing agreement exists when the controller uses another, external entity to carry out its tasks related to data processing. In other words, the entrustment of processing should take place in cases where the controller, who is operating in a specific field, has a need to use external specialists whose services will be of an auxiliary, often technical nature, supporting the main activity of the controller. The processor is obliged to comply with the instructions provided by the controller at least with regard to the purpose of processing and the essential means of the processing. We identify the most common examples of services provided under the data processing agreement model in the Guidance and Explanation of the obligation under Article 30(1) and (2) of the GDPR as:
- storing the client's (controller’s) data, understood as making available to the ordering party a certain space in the processor's infrastructure for storing data, which the ordering party (controller) manages itself and decides what data it stores there - e.g., backing up electronic data;
- making available to the client (controller) computing power of processors, operational and storage space or other services for the installation and operation of processing services that the ordering party fully manages - providing IT infrastructure;
- providing the client (controller) with a specific software platform (e.g., a web server with appropriate software for running its own website);
- performing on the client’s (ordering party's) order specific services in the field of hardware, software configuration, including security of the servers, other computer equipment and software provided to him or her - management and maintenance services;
- performing on the client’s (ordering party's) order programming services, including software updates due to amendments of the legislation or client’s requirements - programming services, etc.
- self storage of tax, accounting, staff and medical records;
- maintenance of tax, accounting, staff records;
- archiving of electronic data;
- scanning and digitising of data;
- destruction of information media.
Other examples of cases justifying the use of the data processing agreement can be found, for example, in the answer to the question: “Can Shared Services Centres (SSCs) appoint one Data Protection Officer (DPO) for all serviced units?” Does the provision of colocation services imply the need for a data processing agreement? (the Polish DPA’s Newsletter for DPOs Issue 3 (March 2020, page 5).
On the other hand, the subject of the service contract referred to in Article 37(6) of the GDPR should be the tasks indicated in Article 39(1) of the GDPR, carried out under the conditions set forth in the provisions of that act, in a manner that guarantees the officer’s independence. Among other things, the controller and processor are required to ensure that the officer does not receive instructions regarding the performance of his or her tasks (Article 38(4) GDPR).
Access to the personal data necessary for the (external) DPO to perform his or her tasks is provided by law. Article 38(2) of the GDPR stipulates that the controller and the processor shall support the DPO in the performance of his or her tasks referred to in Article 39 by providing him or her with, among other things, access to personal data and processing operations. In the context of access to data, it should be emphasised that paragraph 5 of the aforementioned Article obliges the DPO to maintain secrecy or confidentiality as to the performance of his or her tasks - in accordance with Union or Member State law.
In the context of the issue presented, it is worth remembering that the possibility for the person with whom the service contract is concluded to perform tasks other than those specified in the GDPR is limited by the prohibition of conflict of interests in this regard (Article 38(6) of the GDPR).
It is also worth mentioning that the Article 29 Working Party in its Guidelines on Data Protection Officers (WP 243) emphasizes that when the function of the DPO is performed by a person from outside the controller's organisation - given that the DPO is in charge of a variety of tasks - the controller or the processor must ensure that a single DPO, with the help of a team if necessary, can perform these efficiently despite being designated for several public authorities and bodies (p. 10 of the Guidelines). In response to the question „Can public entities designate a single DPO outside the situation regulated by Article 37(3) of the GDPR?” we explain that the use of the solution set forth in Article 37(3) of the GDPR requires a careful analysis of whether the designated person will be able to properly fulfill all of his or her tasks in relations to each data controller. In doing so, one should be aware that many of the tasks of officers under the GDPR require an ongoing commitment to the controller who designated the officer, as well as the so-called "effective availability" of the officer to individuals within the organisation.