LegalGELegalGE
...

Data Processing Agreements

Is a separate DPA document mandatory?

No, DPA clauses can be part of the main contract, but they must contain all points required by law. A separate document is often more convenient.

Who is liable for data security?

The primary liability lies with the Controller, but through a DPA, liability is shared, and the Processor becomes obligated to compensate damages if they violate instructions.

Can a Processor transfer data to another company?

Only with the prior written consent of the Controller. This must be stipulated in the DPA.

What happens after the contract ends?

The Processor is obliged to return all data to the Controller or delete it, as per the agreement.

Reading Time

3 min

Published

...

Data Processing Agreements (DPA) and Compliance

In business relationships, it is common for one company (the Client/Controller) to transfer personal data to another (the Service Provider/Processor) to receive specific services. For example, when a bank hires an IT company to maintain servers, or a marketing agency processes a client database. In legal terms, this is the relationship between a "Data Controller" and a "Data Processor." Georgia's new Law on Personal Data Protection strictly requires that such relationships be governed by a written contract (DPA) meeting specific standards. The absence of a DPA or a poorly drafted one puts both parties at risk of significant fines.

Our Data Processing Agreement drafting service ensures that the rights and obligations of the parties are clearly defined and compliant with the law. Our specialists offer:

  • Role Identification: Clearly defining who is the Controller and who is the Processor in a specific transaction (this is not always obvious, and errors lead to incorrect liability allocation).
  • Mandatory Clauses: Including legally required points in the agreement (purpose of processing, duration, categories of data, security measures).
  • Security Guarantees: Establishing the Processor's obligation to implement specific technical and organizational measures to protect data.
  • Sub-processing Regulation: Rules on whether the Processor has the right to hire other subcontractors and under what conditions.
  • Audit Rights: Defining the Controller's right to inspect the Processor's data protection status.
  • Data Deletion/Return: Procedures for what happens to the data after the service ends.

In practice, DPAs are often overlooked, and companies limit themselves to a standard "confidentiality clause" in the main contract. This is a gross error. The new law (Article 21) explicitly lists issues that must be in the DPA. For example, if the contract does not state that the Processor must assist the Controller in reporting an incident, and a leak actually occurs at the Processor's end, the Controller will fail to meet deadlines and be fined. Similarly, if a Processor uses a cloud in a third country without the Controller's permission, this is also a violation.

Legal regulation is based on the Law on Personal Data Protection. The law establishes that the Processor acts only on the instructions of the Controller. The DPA is the instrument that puts these "instructions" into a legitimate framework. Special attention is paid to the Processor's liability: if they exceed instructions and use data for their own purposes, they automatically become a Controller and bear full liability.

Collaboration with a lawyer involves auditing your business processes (to whom you transfer data), preparing a template DPA, or reviewing existing contracts. This service is essential for IT companies, HR agencies, accounting firms, and any business engaging in outsourcing.

Legal.ge gives you access to qualified lawyers who will help you establish the correct contractual relationships. A DPA is not a mere formality; it is a guarantee that your partner's mistake won't cost you dearly. Organize your contracts today with the help of our experts.

Updated: ...

Specialists for this service

Loading...