Hello! One of the first questions, welcome to Watercooler! And no, a data processing agreement does not need to be a standalone document, it can for example be included in a service agreement. The important thing is that the right matters are covered and agreed upon.
No, it doesn’t but it helps if it is, simply because you may have differing terms for different clients, or things may change in the DPA. The last thing you want is for a legal team to have to start red lining your MSA all over again just because of a change to the DPA.
I agree that the DPA is better as a stand-alone agreement, not least in order to ensure terms regarding issues such as termination and liability are not contradictory in different parts of overall agreement. A comprehensive DPA may also include significant amounts of detail regarding the data being processed and for what purpose and also have to append SCCs or other matters.
We tend to send both the DPA and main contract over at the same time for electronic signature.
The key to the DPA (Data Protection Addendum) is it is just that to a contract; an addendum. It enhances and adds specific in depth detail to the specific interaction with the client that it is written for, and so should be quite different to other clients DPA’s and indeed the standard terms and clauses that will form the rest of the “standard applicable to all” legal documents which are the “bones” of the contractual interaction.
Think of the DPA it as the meat on the bones with regards to the Data Protection part of the contract with the juicy bits.
Being separate allows for it to be easily reviewed at any stage of the engagement without affecting the “bones” agreements if it is required to be so.
It does not need to be a standalone document. It can be part of Main agreement, but it has to have all necessary GDPR requirements. Creating a checklist which can be used to see does that Main agreement has all requirements if template from third party is used is helpful to business, you or anyone who is reviewing that agreement.
Egil Bergenlind
Hello! One of the first questions, welcome to Watercooler! And no, a data processing agreement does not need to be a standalone document, it can for example be included in a service agreement. The important thing is that the right matters are covered and agreed upon.
Best, Egil
Tash
No, it doesn’t but it helps if it is, simply because you may have differing terms for different clients, or things may change in the DPA. The last thing you want is for a legal team to have to start red lining your MSA all over again just because of a change to the DPA.
Chris Roberts
Agreed, If you don’t have to re-engage Legal then that’s usually a very good thing.
HellenB
I agree that the DPA is better as a stand-alone agreement, not least in order to ensure terms regarding issues such as termination and liability are not contradictory in different parts of overall agreement. A comprehensive DPA may also include significant amounts of detail regarding the data being processed and for what purpose and also have to append SCCs or other matters.
We tend to send both the DPA and main contract over at the same time for electronic signature.
Dave_Wylie
As indicated by Tash, it is better it is sperate.
The key to the DPA (Data Protection Addendum) is it is just that to a contract; an addendum. It enhances and adds specific in depth detail to the specific interaction with the client that it is written for, and so should be quite different to other clients DPA’s and indeed the standard terms and clauses that will form the rest of the “standard applicable to all” legal documents which are the “bones” of the contractual interaction.
Think of the DPA it as the meat on the bones with regards to the Data Protection part of the contract with the juicy bits.
Being separate allows for it to be easily reviewed at any stage of the engagement without affecting the “bones” agreements if it is required to be so.
Serif Zjakic
It does not need to be a standalone document. It can be part of Main agreement, but it has to have all necessary GDPR requirements. Creating a checklist which can be used to see does that Main agreement has all requirements if template from third party is used is helpful to business, you or anyone who is reviewing that agreement.