Information in the wrong hands can cause serious damage to the community, businesses and individuals, which is why the use and management of personal data is taken very seriously by privacy laws. 

As a business, you have several legal obligations when it comes to handling people’s personal information. To mitigate these risks and remain compliant with the law, businesses commonly have certain legal documents in place which set out the process for handling data and limit their liability where possible. 

A Cross-Border Data Processing Agreement is a key legal agreement for businesses handling information  across different territories. 

Keep reading to learn more about cross-border data processing agreements. 

What Is A Data Processing Agreement? 

A Data Processing Agreement is a contract between a data controller and a data processor that details how the data is supposed to be handled. 

A data controller is the ‘owner’ of the data and usually the one that has collected it. For example, a business that possesses shipping and bank details of their customers will be the data controller. A data processor is the organisation they hire to take care of that data. 

A well-drafted Data Processing Agreement adheres to the Privacy Act 1988 and the Australian Privacy Principles. The law strictly regulates how information is exchanged and data must be handled in accordance with it. 

Getting a legal professional to draft the agreement will help you stay compliant with the relevant laws. In addition to this, the document is essential in managing any risks associated with transferring information. Having a written agreement in place can determine what party is responsible for what tasks, making it easier to assess your liability should anything go wrong. 

Chat to our Privacy Lawyers if you want to learn more about how you can protect your business. 

When Would I Need A Cross-Border Data Processing Agreement? 

If your business is going to be transferring information overseas in any way, then you should consider getting a Cross-Border Data Processing Agreement. A Cross-Border Data Processing Agreement has the same purpose as a regular data processing agreement, however, it is catered to transferring information from one country to another. 

The terms that will need to be followed  will depend on that specific country’s  internal regulations regarding international transfers of information. For example, if you’re an Australian business transferring information to another business in a different country, then you will need to check any regulations and guidelines that region may have regarding this process. 

Once you’re familiar with them, your Agreement needs to take that into consideration and adjust any processes or systems accordingly. 

Can A Cross-Border Data Processing Agreement Be Used In The EU?

Yes, a Cross-Border Data Processing Agreement can be used in the EU. The EU has its own set of regulations and guidelines when it comes to transferring data from a different country. Therefore, in order to transfer data to and from the EU, it’s important to answer a number of questions such as: 

  • Where will this data be transferred?
  • Who will it be transferred to?
  • What is the nature of the data?
  • Will it be shared with any other EU member states? 
  • How many different regions will this data be subject to?

The answers to some of these questions could impact the kind of compliance measures you will need to undertake. This can be a lot to process, so don’t hesitate to reach out to a legal professional to help you out! 

Does My Data Processing Agreement Need To Align With The GDPR? 

Yes, there is a good chance you will need to comply with the General Data Protection Regulation (GDPR) if you are going to be transferring data to any of the European Union’s nations. 

If your data is not going into the EU as an Australian business, then the GDPR is not going to impact you. 

For those businesses looking to transfer data into the EU, it’s important to understand the GDPR is a little different to  Australian privacy regulations. When it comes to matters such as storage, transparency and the handling of data, the GDPR is stricter and contains more measures. Some of the same concepts are labelled as different terms, too. Therefore, you will need to adjust data processing agreement to align with the GDPR if you intend on transferring data to the EU. 

Along with strict regulations, the EU does impose heavy penalties on businesses that do not comply with the GDPR. In fact, these penalties consist of fines that can reach €20 million or 4% of the yearly global turnover. It’s best to avoid this scenario altogether and make sure you are taking all the right legal steps!  

At Sprintlaw, our GDPR Compliance Package can provide you with detailed, professional guidance on how to best comply with the GDPR. Get in contact with our team and our legal experts would be happy to help you out.  

What Else Do I Need To Know About Data and Privacy? 

Data and privacy is a key aspect of business law that continues to grow everyday. As a result, businesses have to keep up with their legal obligations or they might end up compromising the information of individuals and jeopardising their own business. 

If you’re online and collecting the information of your clients and customers, then it’s vital to have a strong Privacy Policy in place. A privacy policy is legally required of all business that either: 

  • Have an annual turnover of more than $3 million 
  • Gather any kind of personal information (such as contact details, names, banking information, postal address) 

Even if your business earns less than the $3 million threshold, it’s highly advised that you have a Privacy Policy in place regardless. This is to protect your business in case of any data breaches and in case things start to change, or your business grows rapidly, thereby requiring additional legal protections. 

As we mentioned, data and privacy are one of the most fundamental responsibilities for any modern business. All businesses operate differently, therefore, the privacy and data requirements will also vary from business to business. 

There might even be certain duties and risks you are currently not aware of – that’s why it helps to chat with a legal expert that specialises in data and privacy for businesses. From email disclaimers to general privacy advice, we’ve got you covered. 

Key Takeaways

When hiring another party to process the data and information you’ve collected, it’s crucial to have a legal agreement in place that is compliant with the relevant laws and regulations. Even if you’re transferring information outside of Australia, it’s a good idea to have a Cross-Border Data Processing Agreement in place. To summarise what we’ve discussed: 

  • A data processing agreement is a contract between a data controller and a data processor regarding the exchange of information 
  • If you transferring information outside of Australia, it’s advisable to get a cross-border data processing agreement
  • Different countries have their own data processing requirements, it’s important to make sure your agreement is prepared with this in mind
  • If you’re transferring data into the EU, then you will need to abide by the GDPR
  • Data and privacy are important aspects of running a business, talk to a professional to ensure you’re keeping up with all your obligations! 

If you would like a consultation on cross-border data processing agreements, you can reach us at 1800 730 617 or for a free, no-obligations chat.

About Sprintlaw

Sprintlaw's expert lawyers make legal services affordable and accessible for business owners. We're Australia's fastest growing law firm and operate entirely online.

(based on Google Reviews)
Do you need legal help?
Get in touch now!

We'll get back to you within 1 business day.

  • This field is for validation purposes and should be left unchanged.

Related Articles
What Documents Are Required For A Company?
How To Initial A Document