If you own a business that operates in the European Union, you may have heard about the General Data Protection Regulation (GDPR), which is the EU’s new data protection law that took effect on May 25, 2018. The GDPR requires companies to be transparent about how they collect, process, and store personal data, and to ensure that individuals have control over their own data.
One important aspect of the GDPR is the requirement for companies to have a Data Processing Agreement (DPA) in place with any third-party service providers that process personal data on their behalf. This is important because it ensures that companies are fulfilling their obligations under the GDPR, and that they have a legal framework in place that protects the personal data of individuals.
The Data Processing Agreement establishes a legal relationship between the data controller (the company that collects personal data from individuals) and the data processor (the third-party service provider that processes the data on behalf of the data controller). It outlines the responsibilities of each party, including the data processor’s obligation to comply with the GDPR’s requirements for data processing, as well as any additional security measures that may be required.
One key aspect of the Data Processing Agreement is the governing law. This refers to the laws that will apply to any disputes that arise between the data controller and the data processor with regard to the processing of personal data. The governing law is an important consideration, as it determines which legal jurisdiction will have authority over any dispute.
For companies located in the EU, it is generally recommended that the governing law be the law of the member state in which the data controller is located. This ensures that any disputes can be resolved in a local court, which can be more convenient and cost-effective for both parties.
However, for companies located outside the EU, the governing law may be more complicated. The GDPR requires that companies have an EU representative if they are processing personal data of EU residents, and this representative must be located in an EU member state. In this case, it may be necessary to choose the governing law of the member state where the representative is located.
It’s important for companies to consult with legal experts to ensure that their Data Processing Agreement is in compliance with the GDPR’s requirements, including the governing law. By doing so, companies can protect themselves from potential legal disputes, and ensure that they are fulfilling their obligations under the GDPR to protect the personal data of individuals.