When two businesses join hands to process personal data, trust is only half the equation, accountability seals the deal. This is exactly what a Data Processing Agreement (DPA) is for. So, should you have a DPA and what should be in it? Learn more as you read on.
What is a Data Processing Agreement (DPA)?
A Data Processing Agreement/ Data Processing Addendum is a legal document establishing the terms and conditions under which a third party such as a service provider or a contractor processes personal data on behalf of the controller/business.
It guarantees that the data processor implements sufficient data protection measures while handling the personal data handed over by the controller and that it complies with the applicable laws.
The DPA provides clarity on the nature and categories of data processed, purposes of processing, responsibilities of the controller and processors, sub-processing, audit rights, breach notifications, deletion and transfer of the data, data subject rights and more.
A Data Protection Agreement is an essential component for compliance with several privacy laws such as the EU GDPR, UK GDPR and the Data Protection Act, 2018 (DPA).
Relatable reads
In summary, it establishes a clear and mutual understanding between both parties about what is and is not allowed in terms of personal data processing, eliminating any confusion.
Does your website have a cookie banner?
Customise a cookie banner for compliance using CookieYes
14-day free trialBeginner friendly
Importance of Data Processing Agreement in GDPR compliance
A DPA is crucial in GDPR compliance and here is why.
Legal requirement
The General Data Protection Regulation, which is the data privacy law of the European Union requires a Data Processing Agreement as outlined in Article 28.
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
It also stipulates some essential elements that the contract should discuss including a confirmation that personal data will be only be processed as per the controller’s instructions, security implementation, and demonstration of compliance.
Risk management
The DPA clearly outlines the rights and responsibilities of each party involved in the agreement. This clarity helps to avoid confusion, manage risks effectively, and places a strong obligation on processors to safeguard personal data against unauthorised access and misuse.
Accountability
By having signed a detailed DPA, organisations prove that they have taken sufficient measures to regulate the processing activities of service providers or other data processors. This ensures that the processing of personal data is carried out in a responsible manner.
Operational control
The Data Processing Agreement (DPA) maintains oversight of data handling, even when it is delegated to a service provider. It clearly outlines the responsibilities and rights of both parties, sets limits on data retention and processing, and mandates the implementation of necessary technical and organisational measures to safeguard the data.
Avoid fines
The absence of a DPA between the controller and processor can cause a huge financial loss for businesses since GDPR necessitates it. The fines can be as high as 10 million Euros or 2% of your global turnover in the previous year.
Essential clauses for your Data Processing Agreement
A robust DPA contains specific clauses to regulate processing by third parties and minimise risks associated with it. Though you can customise your agreement according to your needs, try not to miss the ones given below.
#1 Introduction and definitions
An introduction definitely sets a face to anything, even for a DPA. Lawyers typically call it a preamble, but let us keep it simple. The introduction clause of your DPA calls out the parties to which the agreement is binding like in this example from Flank AI.
The definition clause serves as the foundation for clarifying the meaning of key terms used throughout the DPA. The definitions most often align with the GDPR standards.
Here are some of the commonly defined terms found in a Data Processing Agreement:
- DPA
- GDPR
- CCPA
- Personal data
- Data subject
- Personal data breach
- Standard Contractual Clauses
- Subprocessor
- Security
Note that, the components of your definition clause depend on your DPA’s content. The best take is to define any specific term that can be unfamiliar, confusing or can have more than one interpretation.
LinkedIn defines some common terms while also explaining separately what it means by personal data and customer personal data in the DPA. This clarifies what it means when these terms are used in the agreement.
#2 General information/ Data processing details
Several topics can come under this category and can be given as separate clauses or as subclauses.
The general information commonly includes the details of the data processing activities.
- Purposes of processing
- Subject matter/nature/types of data processed
- Scope of the agreement
- Duration of processing
- Categories of data subjects
Happy to break down each specific point for a closer look.
#2.1 Purpose clause
This section covers the nature of the processing and why there is a need to process personal data. For example to use a processor’s service such as for payroll processing, payment transactions, or email services.
#2.2 Subject matter clause
Include the categories of personal data that the service provider collects from the controller. The below example from Infosys DPA contains specific details rather than a general description.
#2.3 Duration clause
For how long do you want the data to be processed? That is what you will be writing for this one. This need not be always in terms of months or years.
#2.4 Data subject category
This section specifies whose personal data is getting collected, stored and processed under the Data Processing Agreement as in this example from Flank AI’s DPA.
#3 Obligations of the processors
You can use this section to bind data processors to comply with data protection obligations.
Restricting the processors from processing data without documented instruction from the data controller, and that it should comply with the data protection laws are some of the important points you should add here.
Here are a few more important points.
- Processor shall inform any breaches without undue delay and take necessary efforts to contain the breach
- They must also comply with GDPR provisions such as providing reasonable assistance during Data Protection Impact Assessments or consultations with the supervisory authority
- The processor, employees and other individuals working for the processor should have a duty of confidentiality
- There should be a contact person from the processor’s side for the controller to communicate with
- The processor must fulfil any correction or deletion requests by the controller
- All personal data processed on behalf of the controller must be deleted upon the termination of the agreement or at the controller’s request
- Processor should implement appropriate data security measures
- Any personal data given to the processor shall only be used for the specified purpose
- Processors cannot retain, sell or share the personal data provided under this agreement without authorisation from the controller
Note: The breach notification and deletion requirements can be given as separate clauses in a DPA
#4 Obligations and rights of the controller
This section should neatly point out the obligations of a data controller and the rights reserved to them. Even if the DPA is for data processors, the controller obligations are relevant.
Here are a few points to consider.
- The controller complies with all data protection laws applicable to them
- Instructions from the controller comply with the legal requirements
- The controller is authorised to allow the processors to perform their obligations and exercise their rights
- Any additional instructions or changes to the DPA would require a separate and prior written agreement
- The controller has implemented adequate, necessary and reasonable data security measures such as encryption, access controls and pseudonymisation
- Any irregularities or incorrect personal data will be promptly communicated to the processor
#5 Technical and organisational security measures
The security obligations of the processor can also be given as a separate clause in the Data Processing Agreement.
#6 Data subject requests
This section is to clarify the data processor’s duty to cooperate with the direct request of a data subject /controller’s request to exercise the GDPR rights such as the right to know, access, rectification, deletion, portability, objection or restriction. See this example from our DPA.
#7 Audit rights
This clause reserves the right to conduct audits and to receive demonstrations proving the processor’s compliance. The processor is allowed to set any reasonable limitations regarding the audit such as the duty of confidentiality or time restrictions.
This example from Flank AI lays down that the inspections/audits should be carried out during working hours and after giving prior notice to the processor. Moreover, if the controller decides to appoint an auditor who is a competitor of the processor, they can object to such auditing.
#8 Subprocessors
This is another important clause in a DPA that acknowledges whether or not a subprocessor can be appointed. It also specifies that all subprocessors will have the same responsibilities as those of the processor including the implementation of security measures.
#9 Data transfer
Specify in your DPA that data transfers outside EU or European Economic Area (EEA) member states should be in accordance with the adequacy decision or with standard contractual clauses (SCCs) between the data exporter and data importer.
This ensures that the customer’s data will be properly secured even if transferred to third countries.
#10 Deletion or return
This clause agrees with what happens to the controller’s personal data after the expiration or termination of the DPA.
This example clearly assures that they will only store the necessary data and specifies when they will return or delete the data as per the customer’s request or upon the termination of the DPA.
Recommendations for implementing a robust Data Processing Agreement
Here are some important points to consider when drafting a Data Processing Agreement (DPA):
Use the DPA templates wisely
When using a DPA template, make sure to address the specific needs of your business and the nature of its relationships with the involved parties.
Instead of relying on a generic template, consider adding elements that reflect your unique circumstances. For instance, many templates might lack a section for instructions relevant to joint controllers—something that could be crucial for your situation. If that is the case, make sure to include it in your DPA or choose a template that already has provisions for joint controllers.
Provide accurate instructions
Prioritise clear documentation of the instructions and agreements in the DPA so that all the parties will have a mutual understanding among each other without any confusion.
Review and update
Don’t consider the job done once you have written and signed a DPA. You also need to review and make necessary amendments that account for new regulations, technological advancements and subprocessor changes.
Monitor compliance
Two things are irreplaceable when engaging a processor. The first is to choose compliant processors and the second is to monitor and conduct inspections to confirm that they handle personal data responsibly and within the privacy framework.
FAQ on Data Processing Agreement
The GDPR requires all data controllers to establish a Data Processing Agreement with their data processors. This is to guarantee that they handle personal data with appropriate care and sufficient safeguards to maintain its confidentiality.
A DPA contains written instructions that the processor should follow while processing personal data. It specifies the obligations of all parties involved in the processing, security requirements, data transfer rules, inspection rights of the controller, and related information.
The CCPA necessitates that there should be a contractual relationship between the business and its service providers or third parties. It should contain instructions to not sell the personal information received on behalf of the business and that it will only be used for the specific business purpose.