1. Introduction
2. Overview, including data protection program vs orchestra (DPA negotiator vs saxophonist)
3. When is a DPA required?
4. Representing the customer during a DPA negotiation (customer vs vendor)
5. What are you trying to protect? Which standard are you using?
6. What is personal data (identified vs identifiable)?
7. Identified defined
8. Identifiable defined
9. Two standards or schools of thought
10. Reasonable standard explained
11. Possible standard explained
12. Standards explained via example of storing encrypted personal data in the cloud
13. Is a DPA required if the vendor does not process personal data?
14. Is encrypted data considered to be personal data?
15. Which standard/lens are you using?
16. Which standard should you use when defining personal data in the DPA and corresponding data protection program?
17. Using the glass half full/empty example and the cloud provider example on determining whether data is identifiable
18. The human connection and the evolving definition of personal data (and a better term to use)
19. What is anonymous vs anonymized? Who is doing the data grinding? Is anonymizing the data legal?
20. Can aggregated, de-identified or anonymous data include personal data? What about data that is derived, inferred or generated from personal data?
21. Vendor’s DPA paper - poison apple?
22. Does the gold standard of data protection law exist? Is it the EU’s General Data Protection Regulation (GDPR)? Does the vendor DPA really comply with the GDPR?
23. Are the DPA terms aligned or in harmony with the corresponding data protection program? What are the problems with using the vendor’s DPA paper?
24. Alignment with privacy policies, representations and reasonable expectation
25. Communication and leverage, politics of negotiating and internal knuckleheads
26. Are you getting lost in the fog of form? Keep your eye on the ball/data (substance over form)
27. Controller vs processor and which hat does the vendor want to wear? Is the DPA based on facts?
28. Santa Claus dog and losing control over the personal data
29. Definitions and interpretation of DPA terms
30. Defining “process” in the DPA - do you have the entire apple?
31. Watch out for katana vendors
32. Risk of using language verbatim from data protection laws?
33. Defining “personal data” - things to watch out for and future-proofing the DPA
34. Data minimization - what do you do in practice if the definition of personal data is broad?
35. What is the purpose? Who determines the purpose?
36. What are the means? Can the vendor determine the means?
37. Chain of processing and accountability
38. The minimizations (data, surprise and purpose), reasonable expectation, the origin of collection and primary purpose
39. Minimization and hot dog vendor example - reasonable expectation of a temperamental Greek dad (don't upset him)
40. Reasonable expectation as a moving target
41. Secondary purposes and vendor insults - are you getting suckered by the vendor?
42. Exceptions and compatibility - who determines?
43. Exception to comply with law and cooperating with the customer
44. Updating the DPA in light of laws/tech – AI and kaizen
45. Is the vendor drafting data processing instructions to itself?
46. What's the concern with providing documented instructions?
47. Baklava, security and chasing two rabbits
48. Using data security language in the wrong context, watering down data security language and waiting for a sunny day before securing data
49. Confidentiality of data - is covering confidentiality in the MSA enough?
50. Integrity of data
51. Availability of data - how to get the vendor to negotiate security in the DPA
52. Is high-level security language enough? Drafting detailed security language
53. What do you do if the vendor cannot comply with all of the customer’s data security requirements?
54. Security breach and general obligations
55. When does a vendor have notice of a security breach?
56. Notifying the customer of a security breach - time is of the essence
57. Security breach, confidentiality and cookies
58. Security breach, integrity and cookies
59. Security breach, availability and cookies
60. Cross-border personal data transfers (e.g., SCCs and BCRs) - are you doing your due diligence?
61. Does regulatory approval automatically mean that personal data transfers are legal?
62. Conflicting language and potential modification of the SCCs/DPA
63. Skinny leg syndrome - many ways the vendor could unilaterally revise the DPA (death by 1000 cuts)
64. Survival - possession only?
65. Resonating with opposing counsel and switch hitting (as in baseball - control your dirty thoughts)
66. Gathering intelligence but don’t strangle the opposing counsel
67. Is your vendor being unfaithful? Gaining leverage during the negotiation
68. Maximizing the surprise in an attempt to get the DPA language that you want
69. Take aways!
70. Outside counsel - throw them in the trenches!
71. Freestyle/advanced DPA negotiation training with Demetrios!
© 2025 Eleftheriou Law Firm PLLC. All rights reserved. This presentation is for individual use and educational purposes only, does not constitute legal advice, should not be shared, and is provided as is. The author is not liable for actions taken based on this information. Consult a qualified professional for specific advice. Under the rules of certain jurisdictions, the content on this site may constitute attorney advertising. Prior results do not guarantee a similar outcome. Any content including the presentations may be revised by me at my discretion without notice. Please contact Demetrios Eleftheriou at privacy@demetrioslaw.com if you have any questions.