Data Processing Agreement

In today's world, where data increasingly resembles currency, it's essential for businesses that collect or process consumers' personal data to maintain a Data Processing Agreement to comply with applicable privacy and data protection laws.

This article explains what a Data Processing Agreement is, what laws require you to have one, how you can create your own Data Processing Agreement, and the penalties for not having one.

Definitions

There are a few key terms you will need to know to understand what a Data Processing Agreement is.

• Personal data is information that can be used to identify an individual, such as names, email addresses, phone numbers, and health and financial information.

• Data processing is the use of consumers' personal data.

  Data processing activities can include (but are not limited to):

  • Collection
  • Storage
  • Sharing
  • Recording
  • Organizing
  • Alteration
  • Retrieval
  • Restriction
  • Destruction
• A data controller is someone who makes decisions about how and why to process consumers' personal data.
• A data processor is the person or entity responsible for the actual processing of the data.
• A subprocessor is someone who processes personal data on behalf of a data processor.

What is a Data Processing Agreement (DPA)?

A Data Processing Agreement (also referred to as a Data Processing Addendum or DPA) is a contract between:

• Data controllers and data processors, or
• Data processors and subprocessors

A Data Processing Agreement helps you ensure that any third-party companies that process data on behalf of your business agree to treat consumers' personal data in accordance with applicable privacy and data protection laws.

For example, let's say you sell books online and collect emails from people who sign up for your newsletter. If you use an email marketing platform to run your advertising campaigns then you would want to have a Data Processing Agreement in place to help ensure that the marketing platform keeps consumers' email addresses safe.

A Data Processing Agreement can help provide your business with legal protection if the contracted party:

• Fails to comply with applicable laws
• Mistreats data
• Is affected by a data breach

In case of the circumstances listed above, the Data Processing Agreement can serve to show enforcing authorities that you did your due diligence.

If you don't have a Data Protection Agreement in place, you may be held legally responsible for mishandling consumers' personal data or breaching data protection laws. You can face harsh financial penalties and can lose consumer trust in your organization.

You should have a Data Protection Agreement with all third parties you use to process personal data, and data processors should have a Data Protection Agreement with any subprocessors they use.

Any businesses that collect or process personal data and share it with another company should have a Data Processing Agreement in place to help ensure that the data is handled correctly.

Is a Data Processing Agreement (DPA) Required by Law?

There are several laws that require applicable businesses to maintain Data Processing Agreements or similar contracts.

Let's take a look at what some of these laws require.

GDPR

The GDPR is the EU's primary data protection law. It requires organizations that collect or process personal data belonging to EU residents to maintain a Data Protection Agreement.

The Data Protection Agreement should include descriptions of:

• The subject matter of the processing
• The duration of the processing
• The reasons for the processing
• The types of personal data to be processed
• The categories of data subjects (people to whom personal data belongs)
• The data controller's rights and responsibilities

Article 28 of the GDPR explains the law's Data Protection Agreement requirements, including explaining the reasons for processing personal data and keeping personal data confidential and secure:

PIPEDA

PIPEDA contains ten fair information principles to guide organizations in how they treat Canadian residents' personal information. Principle 1 requires applicable organizations to keep the personal information they control safe. If an organization employs a third party for data processing, then it should use a contract to ensure that the third party provides the same standard of protection.

Section 4.1 of PIPEDA explains that businesses should use a contract to ensure that third parties that process personal data on their behalf keep that data safe:

CCPA/CPRA

The CCPA/CPRA applies to certain companies that meet its criteria and do business with California residents. Applicable businesses that collect California consumers' personal data and disclose the data to a service provider or contractor for business purposes must enter into a contract with the third party.

The contract should:

• Explain the reasons you are disclosing the data
• Ensure the third party agrees to provide the standard of protection the law requires
• Require the third party to notify you if it can't fulfill its obligations
• Give the third party the right to protect personal data from unauthorized use

Section 1798.100 (d) of the CPRA states that businesses that use a third party to process California consumers' personal data should have a contract in place that ensures that the processor provides the level of protection required by the law:

VCDPA

The VCDPA applies to companies that do business in Virginia or sell products or services to Virginia residents and meet its criteria. It requires data controllers and data processors to maintain a contract that includes instructions for data processing and details about the types of personal data to be processed and how it will be processed.

Section 59.1-579 (B) of the VCDPA lists the information a contract between data controllers and data processors should contain, including keeping personal data confidential and ensuring that subcontractors meet the same obligations as data processors:

How Do You Create a Data Processing Agreement (DPA)?

Your Data Processing Agreement needs to be clearly written and easy to understand and should contain information about the rights and responsibilities of all parties involved.

The exact information your Data Processing Agreement needs to contain depends on what laws apply to you and protect your consumers. However, there are some essential clauses that all Data Processing Agreements should contain, such as a description of the categories of personal data to be processed and the methods by which it will be processed.

Let's take a look at the different clauses your Data Processing Agreement should include.

Definitions

This section of your Data Processing Agreement should list and define the terms that are used in your agreement to help ensure clarity for all parties.

Built In's Data Processing Agreement begins with a Definitions section that describes the terms the contract contains:

Data Processing Roles and Responsibilities

This clause describes each party's roles and responsibilities. You can use it to explain that data processing is limited to the strictly necessary purposes as described within the contract and that all parties must keep personal data secure.

Amazon Web Services' Data Processing Agreement explains that data processors are not allowed to process personal data for their own purposes, and cannot share personal data with any third parties other than approved Subprocessors:

Wix's Data Processing Addendum states that it functions as the data processor/service provider and the other party's role is the data controller/business:

Data Processing Instructions and Details

This clause should list the types of personal data to be processed and include details about why the data is processed and how long it is retained. It should contain instructions for how personal data is to be processed.

Klaviyo's Data Processing Agreement explains where comprehensive data processing details can be found, and states that the processing of customers' personal data will be limited to the activities and instructions provided by the data controller:

Red Arc's Data Processing Agreement explains that it processes personal data in response to the data controller's instructions to provide its services and that it retains personal data for the duration of its Principal Agreement:

GitHub's Data Processing Agreement lists the data processing activities that it will perform on behalf of a data controller, including providing Online Services and troubleshooting:

DigitalOcean's Data Processing Agreement includes a table with a description of approved processing activities, the party status for the activity, and the categories of data being processed:

Requirements for Keeping Data Secure

This section explains the steps data processors must take to keep personal data secure, such as responding to data breaches and complying with specific privacy legislation.

DocuSign's Data Protection Agreement explains what it agrees to do to protect consumers' personal data, including ensuring that authorized staff keep data confidential and complying with data protection laws:

Stripe's Data Processing Agreement lists its data processing obligations, including informing the data controller if it violates a data protection law and notifying data controllers of any consumer requests they receive concerning personal data:

Consumers' Rights

This clause lists consumers' data rights under applicable laws, including their rights should a data breach occur. It explains that data processors and data controllers must respond to consumer requests concerning their personal data.

Atlassian's Data Processing Addendum states that customers have the right to request to have their personal data deleted or returned to them and that it will honor those requests:

What Happens if You Don't Have a Data Processing Agreement (DPA) But Need One?

If you are required to have a Data Processing Agreement and don't have one, you could face injunctions and financial penalties.

Maximum financial penalties for violations of the following data protection laws are:

• GDPR: Up to $20 million euros or 4% of a company's annual revenue
• PIPEDA: Up to $100,000 per violation
• CPRA: Up to $7,500 per violation
• VCDPA: Up to $7,500 per violation

The data protection laws that apply to you depend on your and your consumers' locations. To keep consumers' personal data safe and avoid penalties you should find out what laws you are subject to and what they require. Writing a comprehensive Data Protection Agreement that is specific to relevant legislation can help keep you compliant and avoid fines.

Summary

A Data Processing Agreement is a contract between data controllers and data processors, or data processors and subprocessors. It helps ensure that any company that processes data on behalf of another business treats consumers' personal data in accordance with applicable data protection laws.

There are several laws that require applicable organizations to have Data Processing Agreements or similar contracts, including the following:

• GDPR
• PIPEDA
• CCPA/CPRA
• VCDPA

Your Data Processing Agreement should include the following information:

• Definitions of terms
• Role and responsibilities
• Data processing instructions and details
• Requirements for keeping personal data secure
• Consumers' rights

Penalties for not having a Data Processing Agreement can include injunctions and fines.