Webinar Summary: Data Processing & Data Sharing Agreements
Host: Office of the Data Protection Commissioner (ODPC), Kenya
Co-organizer: Data Privacy and Governance Society of Kenya (DPGSK)
Facilitator: Mr. Mina Miano, Senior Data Protection Officer, ODPC Mombasa Regional Office
Moderator: Maria & Mugambi Laibuta (Chair, DPGSK)
1. Introduction & ODPC Mandate
- The ODPC was established under the Data Protection Act (2019) to regulate the processing of personal data and protect the privacy of individuals.
- Its core functions include ensuring compliance, reviewing Data Protection Impact Assessments (DPIAs), registering data controllers/processors, handling data breaches, and investigating complaints.
2. Foundational Principles
- All processing activities, including sharing, must be grounded in the lawful bases for processing (consent, contract, legal obligation, etc.) as per the Act.
- The principles of data protection (Section 25 of the Act) are paramount: lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity & confidentiality, and accountability.
- Data Protection by Design and by Default (Section 41) must be integrated into all processing operations.
3. Key Definitions
- Data Subject: A natural, living person who can be identified by the data (e.g., a customer, patient, student).
- Data Controller: The entity that determines the “why” and “how” of processing personal data (e.g., a bank, hospital, school).
- Data Processor: An entity that processes data on behalf of the controller (e.g., a cloud storage provider, a payroll company).
4. Data Processing Agreement (DPA)
A legally binding contract required under Regulation 24 when a controller engages a processor.
Purpose: To ensure the processor acts only on the documented instructions of the controller, maintaining security and accountability.
Key Elements Must Include:
- Processing Details: Subject matter, duration, nature, purpose, types of data, and categories of data subjects.
- Confidentiality: A duty of confidentiality imposed on the processor and anyone it authorizes.
- Security Safeguards: Technical and organizational measures to ensure data security.
- Sub-processing: Rules for engaging another processor (subcontractor) only with the controller’s prior authorization.
- Data Subject Rights: Mechanisms to assist the controller in fulfilling data subject rights requests.
- End-of-Contract Procedures: Clear instructions for returning or securely deleting/disposing of data after the contract ends.
- Audit & Inspection Rights: The controller’s right to audit and inspect the processor’s compliance with the agreement.
5. Data Sharing Agreement (DSA)
A legally binding document governing the exchange of data between two or more independent parties (e.g., controller-to-controller), each with their own purpose for the data. Guided by the ODPC’s Data Sharing Code.
Purpose: To define roles, set the purpose for sharing, establish standards, and build trust by demonstrating privacy-friendly practices.
Key Elements Must Include:
- The Parties: Clear identification of all entities involved in the sharing.
- Purpose & Lawful Basis: The specific reason for sharing and the lawful basis justifying it.
- Data Categories: The types of personal data being shared.
- Data Subject Rights: How both parties will enable and respect data subject rights.
- Processing & Security Details: How the data will be processed, transmitted, stored, and secured.
- Retention & Deletion: How long the recipient will retain the data and procedures for secure deletion upon termination.
- Data Stewardship: Clarification that ownership is not transferred; roles and responsibilities for data security are defined.
- Liability & Indemnification: Clauses addressing liability for breaches arising from the sharing.
6. Key Differences Between a DPA and a DSA
| Feature | Data Processing Agreement (DPA) | Data Sharing Agreement (DSA) |
|---|---|---|
| Relationship | Controller → Processor | Controller ↔ Controller (or other independent parties) |
| Purpose | Processor acts on behalf of the controller. | Each party has its own independent purpose for the data. |
| Accountability | Controller remains primarily accountable. | Both parties are independently accountable for their own processing. |
| Ownership | Controller retains ownership of the data. | Ownership is not transferred; stewardship is defined. |
| Audit Rights | Controller has right to audit the processor. | Typically no mutual audit rights as purposes are independent. |
7. ODPC Oversight & Enforcement
- The ODPC has the power to audit for compliance, investigate complaints from data subjects, issue enforcement notices, and impose administrative fines for non-compliance.
- Complaints can be lodged via the ODPC website or offices, with investigations targeted for completion within 90 days.
8. Key Practical Considerations & Q&A Highlights
- Separate Agreements: Both DPAs and DSAs should be separate, fully-fledged documents or annexes—not just confidentiality clauses within a main commercial contract.
- Cross-Border Transfers: Transferring data overseas (e.g., to cloud servers) must meet conditions in Section 48 (adequacy decision, appropriate safeguards, consent, necessity). The ODPC has not yet published its own approved Standard Contractual Clauses (SCCs).
- Right to Data Portability: This right allows data subjects to request their data in a machine-readable format to transfer to another controller. It does not negate the requirement for a proper DSA when sharing between organizations.
- Enforcement with Large Corporations: The Data Protection Act applies to all processing concerning Kenyans. Contracts should be reviewed to align with Kenyan law, and the ODPC can aid in compliance enforcement. The data localization principle also encourages local presence for international entities.
- Sector Examples: A hospital using a cloud service for patient records needs a DPA. A hospital sharing patient data with a medical research institute for a study needs a DSA (likely based on research purposes).
9. Conclusion & Contact
- These agreements are critical for legal compliance, managing liability, and building trust.
- For further guidance, contact the ODPC Compliance Directorate: compliance@odpc.go.ke