LegalGELegalGE
...

Data Processing Agreements

What is a Sub-processor and why does it matter?

A Sub-processor is another company hired by your vendor (e.g., a server provider). It matters because your data ends up with them, requiring control mechanisms.

Can I forbid a vendor from hiring subcontractors?

Yes, you can stipulate in the DPA that hiring subcontractors is allowed only with your prior written consent.

Is an IT outsourcer liable for data loss?

If data is lost due to the outsourcer's fault (e.g., forgot to backup), they are obliged to compensate damages, provided this is correctly drafted in the DPA.

Do I need a DPA with a freelancer?

Yes, if the freelancer has access to personal data (e.g., accountant, HR consultant), signing a DPA with them is mandatory.

Reading Time

3 min

Published

...

Data Processing Agreements (DPA) for Outsourcing and Sub-processing

Modern business models often rely on outsourcing—where a company (Data Controller) transfers certain functions to third parties (Data Processors). This could be a call center, IT support, cloud service, or payroll management. In this relationship, defining who is responsible for data security is critical. A Data Processing Agreement (DPA) is the tool that allocates risks and responsibilities. The situation becomes particularly complex when the provider hires other subcontractors (Sub-processors). Failure to comply with legislation in this chain means the client remains fully liable even for the subcontractor's errors.

This service focuses on drafting DPAs for specific, complex relationships. Our experts offer:

  • Outsourcing Risk Analysis: Defining data security requirements based on the specific service (e.g., Cloud Hosting).
  • Sub-processing Control: Embedding mechanisms in the contract that give the client the right to approve or reject new subcontractors.
  • Liability Limits: Drafting indemnification clauses so that in case of a data leak by the provider, the client can seek full compensation for damages.
  • Legal Reflection of Technical Specs: Mandating specific security standards (e.g., ISO 27001, Encryption) in DPA annexes.
  • International Transfer Regulation: Integrating Standard Contractual Clauses (SCC) into the DPA if the outsourcer is located abroad.

Practical example: A Georgian bank uses a marketing agency, which in turn uses a foreign email blast platform. If this chain is not regulated by a DPA, the bank is violating the law because its client data is transferred to a third party (the platform) without permission. A proper DPA obliges the marketing agency to take responsibility for the subcontractor and ensure the same level of protection. Another example is IT outsourcing, where an administrator has access to all data. The DPA must prohibit copying or using data for purposes other than testing.

The Georgian Law on Personal Data Protection establishes that the Processor is obliged to protect data security, but the Controller (client) is obliged to ensure the provider is trustworthy. The DPA is the documentary proof of this "assurance." The right to audit, which must be in the DPA, allows the client to verify the provider in reality.

Working with a lawyer involves negotiations with counterparties. Often, large tech companies (Microsoft, Google) offer standard DPAs that are hard to modify. A lawyer helps you understand what you are signing and how to manage residual risks. With smaller vendors, a lawyer will draft a strict DPA maximizing your protection.

Legal.ge is your partner in legally securing your digital supply chain. Do not rely on verbal agreements when data is involved. Sign a professional DPA with the help of our experts.

Updated: ...

Specialists for this service

Loading...