The Data Processing Agreement: An Essential Resource to Implement

Background

Since September 22, 2023, businesses in Québec have been required to adhere to new regulations regarding the protection of PI, with stricter oversight applied to certain exceptions. One of these is the exception to obtaining the consent of data subjects for the disclosure of their PI if this information is required for the purposes of a mandate or the performance of a contract of enterprise of for services. It is now required that a DPA, which includes the parameters determined by law, be established. Hence, Québec legislation stipulates the various requirements that Québec DPAs must include.

In practice, a DPA may be a separate contract or an appendix to a mandate, contract of enterprise or contract for services that requires PI to be processed. This is known as a Data Processing Addendum. For instance, the separate DPA might be used when a company has previously contracted with its payroll service provider or cloud data-hosting service, and the existing service contract does not fully cover the rules that apply to the protection of PI, while, an appendix would be used when entering into a new service agreement.

Requirements in Québec

The Act respecting the Protection of Personal Information in the Private Sector (ARPPIPS) requires that the mandate, contract of enterprise or contract for services be produced in writing and that it contains at least the following provisions:

• 1. The measures that the processor must take to ensure the confidentiality and protection of PI;
• 2. The PI must only be used for the fulfilment of the mandate, contract of enterprise or contract for services and may not be retained by the processor once the contract has expired or been rescinded;
• 3. The processor must notify the person in charge of the protection of PI (PCPPI) following any breach or attempted breach of confidentiality of the PI disclosed to the processor; and
• 4. The PCPPI must be able to carry out the necessary verification on the processor to ensure that it complies with the provisions of the DPA and protects the confidentiality of the PI.

It should be noted, however, that such a DPA is not required when the agent or party performing the contract of enterprise of for services is a public body or a member of a professional order. As an example, a DPA would not be required when you disclose PI directly to your lawyer or doctor so that he or she can provide professional services. Nor would it be required when you provide the Commission d’accès à l’information, a public body, with your contact details when you wish to lodge an application for a review of a right-of-access request to your PI.

Please note that a DPA is required for transferring PI outside Québec. In fact, prior to an out-of-province transfer of PI, companies – as required by the ARPPIPS – must carry out a Privacy Impact Assessment (PIA) that takes into account the security measures that have been implemented as required by the controller under the DPA. A DPA that provides an adequate framework for the rights and obligations of the processor will favour a PIA that is favourable to an out-of-province transfer.

Best Practices

While Québec law requires only the aforementioned items, best practices, inspired by the GDPR, call for improving DPA content so as to clearly outline each party’s roles and responsibilities.

Here are other provisions you may wish to add to your DPAs:

• Compliance with the law: each party should be accountable to the other for breaches of privacy laws.
• Access to PI: the DPA may specify which persons may have access to the PI and whether they must have received training regarding the confidentiality and protection of PI.
• Sub-processors: may the processor delegate the processing of PI to sub-processors, and if so, what would be the procedure for doing it?
• Right of the persons concerned: you may include the procedure that the processor must follow when persons concerned get in touch and express their wish to exercise one of their rights, such as their right of access or rectification.
• Processing sites and transfers outside Québec: detail the procedure that applies if the processor intending to transfer PI beyond Quebec’s borders and identify where the PI will be processed.

To Conclude

It is important to remember that DPAs are required as a means of benefiting from the exception to the rule: they allow PI to be disclosed without obtaining the consent of the persons concerned and only if the PI is necessary for the performance of a mandate or contract of enterprise of for services.

In order to do so, a written DPA must be in place between the controller (the customer: the person who has control over and responsibility for the PI) and the processor (the service provider: the person who will be processing the PI) as well as between the processor and its own processors (the subprocessors). At a minimum, the DPA must contain clauses indicating:

• The measures that the processor must take to protect the confidentiality of PI;
• PI is used only to fulfil the mandate or the contract of enterprise or for services; and
• That the processor notifies the controller in the event of a confidentiality incident or attempted incident and allows the controller to carry out audits.

While only the above are required under the ARPPIPS, it should be noted that a comprehensive DPA must take into account several other aspects and is unique to each business.

If you have any questions about DPAs or the protection of privacy and personal information, please feel free to contact our Privacy and Data Protection professionals, who will be happy to advise you.