The WFA and the Dutch Advertisers Association (BVA) have partnered with Digital Decisions to create a Data Processing Agreement (DPA) template for advertisers, shows a press release.
The goal is to protect brands from signing DPA documents – created to comply with GDPR rules – that are one-sided and leave advertisers exposed to unfair risk. As with the Media Contract originally designed by the UK advertiser association ISBA, the idea is that a template document will be adaptable to the needs of individual brands, while also alerting them to key areas of risk.
The Data Processing Agreement (DPA) is a mandatory contract addendum to an existing service agreement between data controllers – the brand – and data processors – including media agencies, platforms and others – required by GDPR.
These agreements set out obligations from both parties, in addition to a well-defined scope of data processing activities; such as audience insertion from an advertiser DMP to an agency owned/operated DSP, or the email-based custom audience features that Facebook offers. As advertisers are responsible and liable in case of non-compliance in their role as data controller, each DPA needs to be carefully considered and adopted within the existing legal framework.
The new template has been created by the WFA, BVA and Digital Decisions, and can be used by advertisers to assess their current DPAs, or as a framework for a new agreement with data processor partners. These partners could include independent and network media agencies, direct platform partners such as Facebook and Google, but also direct technology partners such as Ad Servers, DMPs and DSPs.
The agreement is designed from a data controller perspective and is a response to advertiser concerns that some DPAs are written more from the perspective of a data processor.
The DPA template does not purport to offer legal advice, as there is no single contract that is ‘approved’ by the European Commission or Data Protection Authorities across the community.
However, advertisers can use it to better understand what they need to include in their DPAs and to more effectively assess their current agreements.
Key areas that most brands will want to address include:
- Processor obligations and process timelines, for example in case of a data breach
- The approval process for sub-processors engaged by the data processor partners
- The audit rights, and the sub-processor coverage in particular
- The liability of the data processor partners in case of non-compliance
“With advertisers increasingly entering into direct contractual relationships with more and more partners to ensure they retain control of their data and direct relationship with consumers, the role of the Data Processing Agreement will become even more critical both strategically and to ensure they do not risk the reputational damage that could occur if they fail to comply with the requirements of GDPR. This template will give brands guidance to ensure they have the right level of transparency and control in their relationship,” said Stephan Loerke, CEO of WFA.
“In the last couple of months, it became more and more clear that from an advertiser perspective, generic Data Processing Agreements don’t cover all controllers issues. This is why we have taken the initiative to create a specific DPA template together with Digital Decisions and the WFA. We recommend advertisers to internally check their current (and future) DPA’s to this template to know what’s in their best interest to include in their DPA’s,” also said Frenkel Denie, Chairman, BVA.
“We have aimed for this advertiser-centric Data Processing Agreement template to be a useful and practical tool to advertisers globally. Many advertisers are feeling insecure about the right way to work towards GDPR compliance, and managing their partnerships is a key part of this. We are pleased to have worked together with two incredibly strong associations that provide valuable and actionable input to their members and the wider industry,” added Ruben Schreurs, CEO, Digital Decisions.
Moreover, a working paper on controller and processor definitions has been prepared by the members of the IAB Europe GDPR Implementation Group under the leadership of Alan Chapell, of Chapell & Associates. The purpose of this paper is to aid companies in the online advertising ecosystem to understand the definitions of controllers and processors under the GDPR, and to provide some criteria by which they can help understand what their respective role is in relation to their partners.
This is the fifth in a series of working papers published by IAB Europe’s GDPR Implementation Group. IAB Europe’s GDPR Implementation Group brings together leading experts from across the digital advertising industry to discuss the European Union’s new data protection law, share best practices, and agree on common interpretations and industry positioning on the most important issues for the digital advertising sector. The GDPR Implementation Working Group is a member-driven forum for discussion and thought leadership, its important contribution to the digital advertising industry’s GDPR compliance efforts is only possible thanks to the work and leadership of its many participating members.
The working paper can be read and downloaded from here.