Data Processing Agreement
Australia
Canada
European union
India
Israel
Japan
Singapore
Switzerland
United Kingdom
For Customers who entered in the Data Processing Agreement on or before October 25, this version of the Data Processing Agreement applies. For other use cases, this version has been deprecated as of October 26, 2022.
Data Processing Agreements FAQs
A Data Processing Agreement (DPA) is a contract between a data controller and a data processor that governs the processing of personal information.
In the most general sense (and bearing in mind that this terminology may vary depending on the jurisdiction and subject matter involved):
- A “Controller” is an entity that determines the purpose and means of the processing of personal information.
- A “Processor” is an entity that processes personal information on behalf of a controller.
- “Processing” refers to almost anything that a processor can do with personal information.
- “Personal Information” is any information that can be linked to an identified or identifiable individual (this individual is sometimes referred to as the “Data Subject”).
It depends on the jurisdictions and types of data involved.
In many jurisdictions (e.g., the European Union under the GDPR), parties are legally required to execute a DPA--or a similar contractual arrangement-- if one party will process personal information on behalf of the other party. In the United States, whether a DPA is legally required depends on many factors (including, for instance, the sectors and states involved) and is often unclear.
It depends on where eligible employees reside.
Generally:
- If there are no eligible employees who are residents of non-U.S. jurisdictions, Carrot will not require a DPA.
- If there are eligible employees who are residents of the European Economic Area (EEA), then we will require a DPA.
We have also compiled a list of country-specific “schedules” that may be attached to the DPA, depending on which non-U.S. jurisdictions are involved. One common and well-known example involves the transfer of personal data from the European Economic Area (EEA) to the United States. To comply with the GDPR, the customer and Carrot must sign Standard Contractual Clauses (SCCs) Module 2 before such a transfer can take place.
A Sub-processor is an entity that processes personal information on behalf of a data processor. If a data processor engages a Sub-processor, it needs to have a DPA (or similar contractual mechanism) in place with that Sub-processor (e.g., a “Sub-processor Agreement”).
A current list of Carrot’s Sub-processors is available here.
DPAs between controllers and processors ensure they both understand their obligations, responsibilities, and liabilities.
DPAs also help them comply with various regulations, such as the GPDR, and help demonstrate compliance to regulators and individuals.
The answer varies depending on the jurisdiction and subject matter involved, but there are certain elements that should always be included in a DPA:
First, DPAs must define:
- the subject matter and duration of the processing;
- the nature and purpose of the processing;
- the types of personal information and categories of data subjects; and
- the controller’s obligations and rights.
Second, DPAs must also include specific terms or clauses regarding:
- processing only on the controller’s documented instructions;
- the duty of confidence;
- appropriate security measures;
- using sub-processors;
- data subjects’ rights;
- assisting the controller;
- end-of-contract provisions; and
- audits and inspections.
The ideas of data ownership and confidentiality are specific to Carrot’s standard contracting process, which, because of the sensitive nature of the services Carrot and our partners provide, is designed to be very pro-user. As a result, we cover a lot of ground related to data (such as restrictions on use and obligations in the event of a security incident) in the service agreements we enter into with customers.
When we have reviewed customers' DPAs, we often find that these contain provisions that overlap with what the service agreement already contains. We also find that other DPAs describe ownership in ways that conflict with how the service agreement outlines them, which makes the documents difficult to read together. Our DPA is already tailored both to the coverage of our MSA and to the specifics of data ownership, as they apply to us.
It is common for the same entity to be considered a controller in one context and a processor in another context. This is the case for Carrot.
Under the GDPR:
- A "data controller" is an entity that determines the purpose and means of the processing of personal data.
- A "data processor" is an entity that processes personal data on behalf of a data controller.
In the context of the DPA, Carrot is acting as a processor because it is processing personal data on behalf of a controller (i.e. the customer). The customer sends Carrot an Employee Eligibility File ("means") for the "purpose" of confirming which employees are eligible for the Service. Carrot then processes this data on behalf of the customer and in accordance with the customer's instructions (i.e., to confirm eligibility).
In the context of the Privacy Notice, on the other hand, Carrot acts as the controller when members (i.e, employees whose eligibility has been confirmed) sign up directly for the Service through the Platform. Here, Carrot determines the purpose (i.e, providing the Service) and the means (i.e, collecting personal data from members through the Platform) of processing personal data. The Privacy Notice governs the relationship between Carrot (the controller) and individual members (the data subjects).