What is a Data Processing Agreement (DPA)?

DPAs explain the scope of data processing. They set out what data processors can collect and how to use this data. They also describe the purpose of processing personal data. This purpose must be in line with data security law requirements.

Under GDPR, DPAs govern arrangements between processors and controllers. Companies cannot transfer personal data to third parties without a binding agreement to use that data responsibly.

Key takeaways

• Data Processing Agreements (DPAs) are legally binding documents that regulate the scope and purpose of processing personal data and define the relationship between the controller and processor.
• DPAs help companies comply with data protection regulations, including the GDPR. However, they can also govern compliance with regulations in other jurisdictions.
• The roles in a DPA include controller, processor, sub-processor, and joint controller. Each role has specific responsibilities.
• DPA provisions include details about processing, confidentiality, information security, sub-processors, cooperation, and data deletion.
• International data transfers must comply with the GDPR, follow EU adequacy decisions, and include appropriate safeguards like SCCs and BCRs.

Why do businesses need Data Processing Agreements?

Companies need DPAs to make third-party data sharing compliant with GDPR. Modern companies rely on cloud partners and contractors when processing personal data.

For example, businesses use external email clients or cloud collaboration tools to bring remote workers together. They may use cloud-based accounting or CRM tools to process financial data. Or they could use analytics tools to refine their website strategy.

All of these examples give external companies access to user data. Because of this, they all require data processing agreements.

DPAs reduce the risk of third parties exposing personal data. They define the responsibilities of data processors and sub-processors. A clearly written DPA explains what third-party organizations must do to protect personal data. They also include penalties for non-compliance with the agreement.

From the controller's perspective, DPAs provide assurance. Controllers know third parties are committed to following EU GDPR rules with robust security and privacy controls. A robust data handling agreement cuts the risk of GDPR fines and reputational damage.

Do you need to have a Data Processing Agreement?

DPAs mainly apply to the General Data Protection Regulation. This makes them critical for companies that collect data in the EU or European Economic Area (EEA).

As a data controller, you must sign a DPA before transferring data to a third-party data processor. The EU’s personal data privacy regulation defines a data processor as:

• “A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
  
  

In practice, this includes almost all third-party business support and data storage providers.

Elements of a Data Processing Agreement

Every third-party relationship must have a DPA. These agreements should include:

• A description of the type of personal data being collected
• Categories of data subjects involved in data processing
• The duration of data processing
• The reason for processing customer data
• Any rights of the data controller that govern data handling
  
  

DPAs may also include guarantees from data processors. For example, a secure email provider may include details about the strength of its encryption. Cloud storage partners may provide assurances about the physical security of data centers.

The critical goal of data processing agreements is to provide clarity. The data protection agreement must clearly express the intentions of processors and controllers. They should also create a framework that protects personal data while enabling productive business relationships.

DPA best practices

DPAs are legal agreements. Controllers must ensure they are clearly worded and easy to understand. They also need to include several core components to meet their legal requirements.

Writing processing agreements can seem challenging at first glance. However, this list of DPA best practices will guide you as you create GDPR-compliant agreements that safeguard customer data.

1. Separate the DPA from the general contract

Creating separate data processing agreements is not legally required. However, separating DPAs from the rest of a data processing contract is recommended.

Separate agreements focus processors and controllers on critical data protection issues. Stand-alone agreements are also points of reference. Parties can easily return to the agreement to discuss privacy and data protection rules.

2. Start with a general definition

The agreement should start with a clear description of the relationship between the data controller and the processor. Explain what the agreement seeks to achieve and how it will protect personal data.

3. Critical information: Scope, duration, and processing types

A DPA should include three core descriptions. These descriptions govern how processors will handle data. So, they need to be precise and easy to follow.

• Scope: what forms of data the processor will handle, and where do their roles start and end?
• Duration: how long will the processor retain data?
• Processing types: what type of processing will third parties use? How will the processor store, analyze, or organize personal data?
  
  

4. Explain whose data is involved

The EU GDPR requires controllers to be specific about why they process data. DPAs should explain the reason and type of data collection. For example, parties may set out to collect behavioral data about “website visitors.” Or they could limit data collection to users of a certain age.

5. Explain what types of data will be processed

After defining the subjects of data collection, agreements should discuss what type of data processors will handle. Examples in this section could include IP addresses or online activity. This is an important part of specifying the scope of the processing task.

6. Be clear about how to terminate agreements

DPAs should briefly explain how to terminate contracts without exposing personal data. Contract termination generally requires the complete deletion of user data. It may require secure data removal techniques and audited proof of removal.

7. Define the responsibilities of parties

After dealing with general issues, the DPA should define expectations for controllers and the data processor. This section governs how data exchanges work by informing both parties about their roles. See below for in-depth guidance about the roles of controllers and processors.

8. Protect core user rights

Processing agreements under EU GDPR must allow users to exercise their privacy and access rights. Writers do not need to list all of the rights of the individual. However, the text should state that the parties agree to enable those rights.

9. Include relevant technical controls

The DPA should provide information about how processors and controllers will protect personal data under Article 32 of GDPR. This article requires organizations to:

• Encrypt or anonymize user data
• Ensure the availability and integrity of systems
• Create incident response processes to restore systems and data
• Regularly test systems to secure data
  
  

There is no need to use technical language or provide long descriptions about how controls work. Just list the security controls in use with a brief description of how they safeguard user data.

If you need to go into more detail, add an annex to the DPA. This section comes after the main body of the text. It can include extended discussions of how organizations will meet their Article 32 obligations.

10. Add sections on auditing compliance

DPAs should be enforceable and easy to monitor. Auditing should be part of every processing agreement. Controllers should require a section to enable regular privacy audits. Processors should also agree to provide relevant data to assess EU GDPR compliance.

The processor’s role in a Data Processing Agreement

“Processors” contract with controllers to handle or store personal data. They generally deliver DPAs to controllers when requested. Controllers then agree to those agreements or ask for additional changes.

There are two main types of organization in this category: data processors and sub-processors.

• Data processors have direct contact with a data controller.
• Sub-processors handle data at the request of data processors and may not have direct links to the data controller.
  
  

Both types of processors need DPAs to protect user data. Elements of these agreements include:

• Information security measures used to protect user data
• The identity of the organization’s Data Protection Officer (DPO)
• A commitment to work with regulators when violations or data protection breaches occur
• How the processor will assist the controller during security incidents
• Data breach reporting procedures, including a timescale for notifying the controller and regulators.
• Audit processes to allow controllers to check compliance
• Logging to record data processing
• Whether and how international transfers can take place
  
  

Data processors must obtain consent from the controller before delegating data handling to another company. If processors intend to delegate their functions, the DPA should state:

• When sub-processing is allowed
• How processors should appoint sub-processors
• How to obtain consent from the data controller
  
  

Processor DPAs must meet GDPR requirements. However, processors also need to create and maintain them efficiently. This can be challenging for data processors that manage many clients and contracts.

Processors often use automated contract lifecycle management (CLM) systems to reduce the compliance workload. CLM systems gather all DPAs in one location and ensure agreements are GDPR-compliant.

The controller’s role in a Data Processing Agreement

Under GDPR, data controllers decide the purpose of data collection. They also determine how data is collected. Controllers can operate alone, signing direct DPAs with third parties. But they can also form joint controller arrangements.

Joint controllers work together to collect user data. In a joint controller operation, organizations share DPAs. Partner organizations collaborate to manage processing agreements and deliver a high standard of user privacy.

Critical elements of a DPA from the controller’s perspective include:

• A clear statement identifying the data controller and a responsible individual. This is usually the controller's DPO.
• Information about the type of data being collected and data subjects involved.
• A description of the lawful basis for data collection under GDPR.
• How will the controller ensure consent to share information?
• Any extra instructions about how the processor should handle data?
  
  

An accurate data processor agreement is extremely important because data controllers are legally accountable under GDPR. The controller will receive penalties for privacy or consent violations. Robust processing agreements cut the risk of fines by defining the responsibilities of partner organizations.

Writing agreements for international data transfers

Companies that sell to EU customers but process data elsewhere may need to move personal data out of EU nations. If this applies, organizations need to keep a couple of things in mind.

Firstly, companies must know whether an "adequacy decision" covers the destination jurisdiction.

The European Commission makes adequacy decisions. These decisions certify that nations outside the EU provide “adequate levels of data protection.” Data can flow from the EU to safe jurisdictions without extra safeguards.

Adequacy decisions do not cover every nation. The Commission can also revoke decisions if conditions change. Currently, the following countries qualify under EU regulations:

• The United States
• The United Kingdom
• Canada
• Argentina and Uruguay
• Israel
• Japan
• New Zealand
• Republic of Korea
• Switzerland
  
  

This list leaves some significant gaps. For instance, it does not include Australia. China, India, Mexico, and all of Africa are outside the scope of EU regulation. Data transferred to these areas requires extra safeguards. Controllers need a strong business reason for making these transfers.

International transfers to countries without adequacy agreements require Standard Data Protection Clauses (SCCs) or Binding Corporate Rules (BCRs).

• Standard Data Protection Clauses. SCCs provide a foundation for secure data transfers to non-EU jurisdictions. They ensure that data processing meets EU standards. SCCs tend to supplement DPAs. They do not replace them. Most controllers will need an SCC and a DPA to meet regulatory requirements.
• Binding Corporate Rules. A BCR is a data privacy agreement that operates within an organization. BCRs assure EU regulators that data transfers to subsidiaries in non-EU jurisdictions meet GDPR standards. Unlike SCCs, BCRs are approved by EU regulators before they come into force. And they apply to all organizations within the same group. With a BCR, controllers do not need a separate DPA within the same company.

Create DPAs to regulate third-party relationships

Data processing agreements provide a robust foundation for processing personal data. They ensure that data controllers and processors meet GDPR requirements. Parties to a DPA should be aware of their roles and data protection responsibilities.

Properly structured data privacy agreements reduce the risk of GDPR violations and enhance privacy protections for individuals. Without effective DPAs, a company operating in the European Union will struggle to meet compliance obligations. Knowing how to create and assess privacy agreements is essential.

Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.