The world’s top brands are scrabbling to ensure they are not forced into sign one-sided and unfair data processing agreements with platforms such as Facebook and Google – as well as media agencies – which would put them at risk of major breaches of GDPR.
The World Federation of Advertisers (WFA) and the Dutch Advertisers Association (BVA) have partnered with Digital Decisions to create a data processing agreement (DPA) template for advertisers.
The goal is to protect brands from signing DPA documents – created to comply with GDPR rules – that are one-sided and leave advertisers exposed to unfair risk. As with the Media Contract originally designed by the UK client body ISBA, the idea is that a template document will be adaptable to the needs of individual brands, while also alerting them to key areas of risk.
The DPA is a mandatory contract addendum to an existing service agreement between brands and data processors, including agencies and publishers required by GDPR.
These agreements set out obligations from both parties, in addition to a well-defined scope of data processing activities; such as audience ingestion from an advertiser data management platform (DMP) to an agency owned/operated demand-side platform (DSP), or the email-based custom audience features that Facebook offers.
As advertisers are responsible and liable in case of non-compliance in their role as data controller, each DPA needs to be carefully considered and adopted within the existing legal framework.
The new template has been created by the WFA, BVA and Digital Decisions, and can be used by advertisers to assess their current DPAs, or as a framework for a new agreement with data processor partners.
These partners could include independent and network media agencies, direct platform partners such as Facebook and Google, but also direct technology partners such as ad servers, DMPs and DSPs.
The agreement is designed from a data controller perspective and is a response to advertiser concerns that some DPAs are written more from the perspective of a data processor.
The DPA template does not purport to offer legal advice, as there is no single contract that is ‘approved’ by the European Commission or data protection authorities across the community.
However, advertisers can use it to better understand what they need to include in their DPAs and to more effectively assess their current agreements.
Key areas that most brands will want to address include:
– Processor obligations and process timelines, for example in case of a data breach
– The approval process for sub-processors engaged by the data processor partners
– The audit rights, and the sub-processor coverage in particular
– The liability of the data processor partners in case of non-compliance
WFA chief executive Stephan Loerke said: “With advertisers increasingly entering into direct contractual relationships with more and more partners to ensure they retain control of their data and direct relationship with consumers, the role of the DPAs will become even more critical both strategically and to ensure they do not risk the reputational damage that could occur if they fail to comply with the requirements of GDPR. This template will give brands guidance to ensure they have the right level of transparency and control in their relationship.”
Top brands ‘draw line in sand’ over online ad shambles
World’s biggest tech firms accused of flouting GDPR
Google GDPR shortcomings leaving ad clients exposed
GDPR one month on: Google admits that it’s clueless
Crisis? What crisis? GDPR fuels more potent marketing
‘Firms more worried about World Cup effect than GDPR’
Let battle commence: first GDPR complaints are filed