Skip to main content

Privacy Laws

17 min read

10 Must-Have Clauses in Your Data Processing Agreement

By Safna December 2, 2024

Expert reviewed

10 Must-Have Clauses in Your Data Processing Agreement

When two businesses join hands to process personal data, trust is only half the equation, accountability seals the deal. This is exactly what a Data Processing Agreement (DPA) is for. So, should you have a DPA and what should be in it? Learn more as you read on.

What is a Data Processing Agreement (DPA)?

A Data Processing Agreement/ Data Processing Addendum is a legal document establishing the terms and conditions under which a third party such as a service provider or a contractor processes personal data on behalf of the controller/business. 

It guarantees that the data processor implements sufficient data protection measures while handling the personal data handed over by the controller and that it complies with the applicable laws.

The DPA provides clarity on the nature and categories of data processed, purposes of processing, responsibilities of the controller and processors, sub-processing, audit rights, breach notifications, deletion and transfer of the data, data subject rights and more. 

A Data Protection Agreement is an essential component for compliance with several privacy laws such as the EU GDPR, UK GDPR and the Data Protection Act, 2018 (DPA).

Relatable reads

GDPR vs DPA

In summary, it establishes a clear and mutual understanding between both parties about what is and is not allowed in terms of personal data processing, eliminating any confusion.

Does your website have a cookie banner?

 Customise a cookie banner for compliance using CookieYes

14-day free trialBeginner friendly

Importance of Data Processing Agreement in GDPR compliance

A DPA is crucial in GDPR compliance and here is why.

Legal requirement

The General Data Protection Regulation, which is the data privacy law of the European Union requires a Data Processing Agreement as outlined in Article 28

Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.

It also stipulates some essential elements that the contract should discuss including a confirmation that personal data will be only be processed as per the controller’s instructions, security implementation, and demonstration of compliance.

Risk management

The DPA clearly outlines the rights and responsibilities of each party involved in the agreement. This clarity helps to avoid confusion, manage risks effectively, and places a strong obligation on processors to safeguard personal data against unauthorised access and misuse.

Accountability

By having signed a detailed DPA, organisations prove that they have taken sufficient measures to regulate the processing activities of service providers or other data processors. This ensures that the processing of personal data is carried out in a responsible manner.

Operational control

The Data Processing Agreement (DPA) maintains oversight of data handling, even when it is delegated to a service provider. It clearly outlines the responsibilities and rights of both parties, sets limits on data retention and processing, and mandates the implementation of necessary technical and organisational measures to safeguard the data.

Avoid fines

The absence of a DPA between the controller and processor can cause a huge financial loss for businesses since GDPR necessitates it. The fines can be as high as 10 million Euros or 2% of your global turnover in the previous year.

Essential clauses for your Data Processing Agreement

A robust DPA contains specific clauses to regulate processing by third parties and minimise risks associated with it. Though you can customise your agreement according to your needs, try not to miss the ones given below.

#1 Introduction and definitions

An introduction definitely sets a face to anything, even for a DPA. Lawyers typically call it a preamble, but let us keep it simple. The introduction clause of your DPA calls out the parties to which the agreement is binding like in this example from Flank AI.

Flank AI DPA

The definition clause serves as the foundation for clarifying the meaning of key terms used throughout the DPA. The definitions most often align with the GDPR standards. 

Here are some of the commonly defined terms found in a Data Processing Agreement:

  • DPA
  • GDPR
  • CCPA
  • Personal data
  • Data subject
  • Personal data breach
  • Standard Contractual Clauses
  • Subprocessor
  • Security

Note that, the components of your definition clause depend on your DPA’s content. The best take is to define any specific term that can be unfamiliar, confusing or can have more than one interpretation.

LinkedIn defines some common terms while also explaining separately what it means by personal data and customer personal data in the DPA. This clarifies what it means when these terms are used in the agreement.

LinkedIn DPA

#2 General information/ Data processing details

Several topics can come under this category and can be given as separate clauses or as subclauses.

The general information commonly includes the details of the data processing activities.

  • Purposes of processing
  • Subject matter/nature/types of data processed
  • Scope of the agreement
  • Duration of processing
  • Categories of data subjects 

Happy to break down each specific point for a closer look.

#2.1 Purpose clause

This section covers the nature of the processing and why there is a need to process personal data. For example to use a processor’s service such as for payroll processing, payment transactions, or email services. 

DotDigital DPA

#2.2 Subject matter clause

Include the categories of personal data that the service provider collects from the controller. The below example from Infosys DPA contains specific details rather than a general description.

Infosys DPA

#2.3 Duration clause

For how long do you want the data to be processed? That is what you will be writing for this one. This need not be always in terms of months or years.

DotDigital DPA

Stripe DPA

#2.4 Data subject category

This section specifies whose personal data is getting collected, stored and processed under the Data Processing Agreement as in this example from Flank AI’s DPA.

Flank AI DPA

#3 Obligations of the processors

You can use this section to bind data processors to comply with data protection obligations. 

Restricting the processors from processing data without documented instruction from the data controller, and that it should comply with the data protection laws are some of the important points you should add here.

Here are a few more important points.

  • Processor shall inform any breaches without undue delay and take necessary efforts to contain the breach
  • They must also comply with GDPR provisions such as providing reasonable assistance during Data Protection Impact Assessments or consultations with the supervisory authority
  • The processor, employees and other individuals working for the processor should have a duty of confidentiality
  • There should be a contact person from the processor’s side for the controller to communicate with
  • The processor must fulfil any correction or deletion requests by the controller
  • All personal data processed on behalf of the controller must be deleted upon the termination of the agreement or at the controller’s request
  • Processor should implement appropriate data security measures
  • Any personal data given to the processor shall only be used for the specified purpose
  • Processors cannot retain, sell or share the personal data provided under this agreement without authorisation from the controller

Note: The breach notification and deletion requirements can be given as separate clauses in a DPA

#4 Obligations and rights of the controller 

This section should neatly point out the obligations of a data controller and the rights reserved to them. Even if the DPA is for data processors, the controller obligations are relevant.

 Here are a few points to consider.

  • The controller complies with all data protection laws applicable to them
  • Instructions from the controller comply with the legal requirements
  • The controller is authorised to allow the processors to perform their obligations and exercise their rights
  • Any additional instructions or changes to the DPA would require a separate and prior written agreement
  • The controller has implemented adequate, necessary and reasonable data security measures such as encryption, access controls and pseudonymisation
  • Any irregularities or incorrect personal data will be promptly communicated to the processor

#5 Technical and organisational security measures

The security obligations of the processor can also be given as a separate clause in the Data Processing Agreement.

Ironclad DPA

#6 Data subject requests

This section is to clarify the data processor’s duty to cooperate with the direct request of a data subject /controller’s request to exercise the GDPR rights such as the right to know, access, rectification, deletion, portability, objection or restriction. See this example from our DPA.

CookieYes DPA

#7 Audit rights

This clause reserves the right to conduct audits and to receive demonstrations proving the processor’s compliance. The processor is allowed to set any reasonable limitations regarding the audit such as the duty of confidentiality or time restrictions.

Flank AI DPA

This example from Flank AI lays down that the inspections/audits should be carried out during working hours and after giving prior notice to the processor. Moreover, if the controller decides to appoint an auditor who is a competitor of the processor, they can object to such auditing.

#8 Subprocessors

This is another important clause in a DPA that acknowledges whether or not a subprocessor can be appointed. It also specifies that all subprocessors will have the same responsibilities as those of the processor including the implementation of security measures. 

Stripe DPA

#9 Data transfer

Specify in your DPA that data transfers outside EU or European Economic Area (EEA) member states should be in accordance with the adequacy decision or with standard contractual clauses (SCCs) between the data exporter and data importer.

This ensures that the customer’s data will be properly secured even if transferred to third countries.

Flank AI DPA

#10 Deletion or return

This clause agrees with what happens to the controller’s personal data after the expiration or termination of the DPA.

This example clearly assures that they will only store the necessary data and specifies when they will return or delete the data as per the customer’s request or upon the termination of the DPA. 

Ironclad DPA

Recommendations for implementing a robust Data Processing Agreement

Here are some important points to consider when drafting a Data Processing Agreement (DPA):

Use the DPA templates wisely

When using a DPA template, make sure to address the specific needs of your business and the nature of its relationships with the involved parties.

Instead of relying on a generic template, consider adding elements that reflect your unique circumstances. For instance, many templates might lack a section for instructions relevant to joint controllers—something that could be crucial for your situation. If that is the case, make sure to include it in your DPA or choose a template that already has provisions for joint controllers.

Provide accurate instructions

Prioritise clear documentation of the instructions and agreements in the DPA so that all the parties will have a mutual understanding among each other without any confusion.

Review and update 

Don’t consider the job done once you have written and signed a DPA. You also need to review and make necessary amendments that account for new regulations, technological advancements and subprocessor changes.

Monitor compliance

Two things are irreplaceable when engaging a processor. The first is to choose compliant processors and the second is to monitor and conduct inspections to confirm that they handle personal data responsibly and within the privacy framework.

FAQ on Data Processing Agreement

Do I need to have a Data Processing Agreement?

The GDPR requires all data controllers to establish a Data Processing Agreement with their data processors. This is to guarantee that they handle personal data with appropriate care and sufficient safeguards to maintain its confidentiality.

What is in a Data Processing Agreement?

A DPA contains written instructions that the processor should follow while processing personal data. It specifies the obligations of all parties involved in the processing, security requirements, data transfer rules, inspection rights of the controller, and related information.

Does the California Consumer Privacy Act require a DPA?

The CCPA necessitates that there should be a contractual relationship between the business and its service providers or third parties. It should contain instructions to not sell the personal information received on behalf of the business and that it will only be used for the specific business purpose.

Photo of Safna

Safna

Safna Y Yacoob is a lawyer turned data privacy writer. At CookieYes, she transforms complex privacy regulations into actionable insights for businesses. On off-hours, find her brightening days with one-liners, spinning playlists, or watching feel-good movies.

Keep reading

Featured image of 7 Steps to Enhance Compliance Management for Your Business

Privacy Laws

7 Steps to Enhance Compliance Management for Your Business

Have you thought about compliance as a growth driver? For most businesses, it is just …

Read more
Featured image of Cookiebot vs OneTrust vs CookieYes: Which One Is The Best?

Consent

Cookiebot vs OneTrust vs CookieYes: Which One Is The Best?

Our detailed comparison will explore features, pricing, and privacy compliance functionality, guiding you through the nuances of Cookiebot, Onetrust and CookieYes to find the one that best suits your business's consent management needs.

Read more
Featured image of Iubenda vs Osano vs CookieYes: Which One Is The Best?

Iubenda vs Osano vs CookieYes: Which One Is The Best?

Our detailed comparison will explore features, pricing, and privacy compliance functionality, guiding you through the nuances of Cookiebot, Iubenda, and CookieYes to find the one that best suits your business's consent management needs.

Read more

Show all articles