Blog By

Ms. Damaris Wambua

Data Protection Associate

South-End Tech Limited Date: 7^th June, 2024

In today’s digital age, data has become a precious resource, much like gold was during the gold rush era. Data must therefore be safeguarded from inappropriate use of any form including phishing, cyberattacks or data being peddled by organizations dealing with personal data. It is paramount that the processing of personal data is done with the interest of the data subject at the heart of it.

How do individuals/institutions who are handling data engage? It should be done by way of a written contract. The legal basis for this is contained under Section 30, Section 42(2) of the Kenyan Data Protection Act and Article 6 of the GDPR.

 A contract is an agreement between two or more people to perform a service. It outlines the rights and obligations of the parties involved. Contracts are usually legally binding documents between individuals and/or organizations and in case of any breach, the party at fault can be taken to court to enforce the contract.

In data protection and privacy, there is a need to have data protection agreements binding the data controller and the data processor. This agreement stipulates how personal data, will be collected, processed and used. These privacy agreements are required by law and can also be known as a data protection agreement (DPA).

It is important to note that this Data Processing Agreement can either be as a stand-alone document or if an existing contract is in place, then there should be a clause providing how data is going to be processed during the conducting of services or an amendment to the contract can be done to provide for the same.

Section 24 of the Data Protection (General) Regulations provides what the contract should contain.

Some of the things mentioned include the processing details:

1. who is the data subject is
2. duration of the processing
3. nature and the purpose of the processing
4. the type of personal data being processed
5. the categories of the data subjects
6. the obligations and rights of the data controller.

The data controller should state the scope of work for the data processor in the agreement and any person acting under or employed by the controller/ processor shall take the relevant security measure to protect personal data.

If/ when the data processor is contracting a third party, the data processor is required to get a commitment of confidentiality from the third party who will handle any personal data. This helps in protecting the information disclosed to them.

There needs to be in place appropriate security measures which the data processor is supposed to have in place. The processor should use both technical and organizational safeguards to protect the information provided to them. The technical safeguards are the practical software measures taken like having firewalls in place, encryption of data, and pseudonymisation while the organizational safeguards include having policies, contracts and training done for the staff of the organization handling data.

Upon completion of the use of data by the data processor, the data subject’s data must be discarded permanently or returned upon the lapse of the agreement depending on the decision of the data controller. This is one of the principles in data protection for storage limitation and should be complied with.

The data controller may conduct an audit or inspect the processes and measures used by the data processor. These should be some of the clauses that should be in the data processing agreement as they are very essential.

The fundamental purpose of drafting a Data protection agreement is:

1. Minimizing risks from unauthorized access
2. To have a data protection framework and have legal recourse upon breach of any kind
3. Ensure compliance with the data protection laws
4. Ensures protection of individuals’ right
5. Safeguarding the confidentiality of data subject

Data processing agreements are vital for organizations handling data but are often overlooked by many institutions due to a lack of awareness, the complexity involved in drafting and negotiating the agreement, cost implications of hiring legal professionals, assumption of trust or just mere ignorance of legal requirements. The primary legal risk of not having a DPA executed is the possibility of processors and third parties misusing the data subject’s information.

When a breach is discovered, the burden usually falls upon either the data controller or the data processor depending on who is handling the personal data therefore one of the best practice measures for compliance for data handlers to protect themselves and their clients is by having data processing agreements.

In conclusion, data processing agreements or provisions for processing data are very crucial and ignorance of that obligation from individuals and institutions handling the same is not a defence in case of any breach.

Do not hesitate to contact us on any matter touching on Data Protection and Cybersecurity on our contact details included below:

+254115867309 +254721864169; +254740196519; +254115867309 or email.

damaris.wambua@southendtech.co.ke; dataprotection@southendtech.co.ke or ; info@southendtech.co.ke