Why You Don’t Need a DPA When Working with a Trust Service Provider
The rise of digital transactions has highlighted the importance of trust services, especially in the context of electronic signatures. In the EU, trust services are governed by the eIDAS Regulation, which sets standards for electronic identification and trust services for electronic transactions. However, a common misconception persists among legal professionals regarding the control and processing of personal data when using these services, particularly with Qualified Trust Service Providers (TSPs) like ZealiD AB.
Misconceptions About Data Controllership
Many legal departments operate under the belief that engaging a TSP necessitates a Data Processing Agreement (DPA) to meet GDPR requirements. This misunderstanding often stems from a need for more familiarity with the foundational principles of trust services and their regulatory framework. Trust services, including e-signatures, are designed to enhance security and trust in electronic transactions without the same data processing implications as traditional data processors.
The Role of Trust Service Providers
Trust service providers like ZealiD AB offer qualified electronic signatures that are compliant with stringent EU standards. According to the eIDAS Regulation and ETSI standards (such as ETSI EN 319 401 and ETSI EN 319 411-1/2), TSPs are required to ensure that their services uphold high levels of security and reliability. Importantly, the relationship between TSPs and their clients differs from that of a traditional data controller and data processor.
When companies procure trust services, they often mistakenly assume they are delegating data controller responsibilities to the TSP, treating it as a sub-processor. This misconception fails to recognize that the legal model governing trust services operates differently.
Why a DPA is Often Unnecessary with TSPs
Hash Signing Mechanism: Most modern trust service integrations employ a hash signing technique. This means that the content of the document being signed is transformed into a hash value, and then processed by the TSP. The original document remains encrypted and is not visible to the TSP. Although, in some jurisdictions, this might still qualify as processing personal data, the idea of issuing a DPA is moot. A DPA implies that the TSP is instructed on which data to process, but since the data is encrypted and the TSP has no visibility into its content, such instructions are irrelevant. As a result, the TSP is not acting as a data processor in the traditional sense.
Direct Relationship with End Users: For qualified electronic signatures, TSPs establish a direct relationship with the end users to issue digital certificates and enable remote signing. This relationship is highly regulated and standardized, ensuring that user data is managed in compliance with relevant laws. Since the TSP directly interacts with users for certificate issuance, it is not acting merely as a processor under the GDPR; it operates within a framework that places it outside the traditional data controller-processor paradigm.
Real-World Example: ZealiD AB
ZealiD AB exemplifies a leading Swedish Qualified Trust Service Provider navigating these complexities. By offering secure and compliant electronic signatures, ZealiD provides services that empower businesses to enhance their digital transaction processes without inadvertently exposing themselves to data protection risks. Legal departments engaging ZealiD can focus on their own compliance with GDPR by ensuring that appropriate DPAs are in place with other service providers—such as e-signature platforms—where sensitive and personal data may be involved.
Conclusion
The evolving landscape of digital transactions necessitates a clear understanding of the roles and responsibilities of trust service providers. Legal professionals must recognize that engaging a TSP does not inherently require a DPA, as the nature of trust services, especially in relation to personal data, is fundamentally different from traditional data processing relationships.
By understanding the regulatory framework established by the eIDAS Regulation and ETSI standards, legal departments can make more informed decisions when integrating trust services into their operations. In the case of ZealiD AB, companies can leverage qualified trust services while ensuring compliance and security without falling prey to common misconceptions about data controllership.
Learn more
Would you like to know more about obtaining a qualified electronic signature?
ZealiD has been working with the most innovative companies to better their document signing workflows and agreement management with QES.