The General Data Protection Regulation (GDPR) regulates the processing of personal data in Europe through data processing agreements (DPAs). The GDPR imposes obligations onto organizations as long as they collect, process, or handle in any way the personal data of people in Europe. Thus, organizations that have software systems that involve processing or sharing personal data are responsible for conducting audits to ensure their data processing satisfies GDPR obligations. To achieve software compliance, organizations must verify their software-relevant legal documents against GDPR regulations. Organizations do this through DPAs that regulate data processing activities according to GDPR. These are legally binding agreements and to be deemed GDPR-compliant, DPAs must cover all criteria imposed by GDPR provisions concerning data processing.

Data processing involves an organization, known as the data controller, which collects and/or further shares personal data, an additional organization, known as the data processor, which processes personal data for the controller, and of course a data subject who shares personal data willingly. A third-party organization, called a sub-processor, may be employed by the data processor to perform some data processing services on its behalf. This involves further sharing the personal data. The controller provides data subjects with the terms on which their personal data is collected and handled. However, further sharing of personal data with processors and sub-processors is not directly visible to data subjects. The controller and processor share responsibility of protecting personal data. Thus, a DPA listing privacy-related requirements should be established between controller and processor(s). A DPA includes setting terms for how data is used, stored, protected, and accessed. Establishing a DPA also includes the rights and obligations of the controller and processor. Signing a DPA means that the processor is obliged to ensure that any software system deployed for processing personal data has to also comply with GDPR.

The paper which this case study is drawn from uses the “shall” requirements that the authors extracted from GDPR provisions relevant to DPA compliance, which removes the additional complexity and potential ambiguity of legal texts. DPAs are an important source of requirements for software development involving the processing of personal data. SLEEC requirements allow the controller and processor to be legally-compliant with the GDPR. For instance, we can specify that upon the end of the provision of services relating to processing, the processor shall return or delete all personal data, or that the DPA shall contain the duration of the processing, after which data return/removal occurs.