Post-graduate law degree, CIPP/E from the International Association of Privacy Professionals (IAPP). Privacy and Data Protection Research Writer at TermsFeed.
On this page
- 1. What is a Data Processing Agreement?
- 2. Data Subjects, Data Controllers, and Data Processors
- 3. Who Needs a Data Processing Agreement?
- 4. Data Processing Agreements for Small Businesses
- 5. FAQ: GDPR Data Processing Agreement
- 6. Mandatory Data Processing Agreement Clauses
- 6.1. Information about the Data Processing
- 6.2. Information about the Personal Data and Data Subjects
- 6.3. Obligations of the Data Controller
- 6.4. Obligations of the Data Processor
- 6.4.1. Written Instructions
- 6.4.2. Confidentiality
- 6.4.3. Security
- 6.4.4. Subprocessors
- 6.4.5. Data Rights
- 6.4.6. Data Protection Impact Assessments
- 6.4.7. Data Breach Notifications
- 6.4.8. Return or Deletion of Personal Data
- 6.4.9. Audits
- 7. Other Data Processing Agreement Clauses
- 7.1. Definitions
- 7.2. Mandatory Data Protection Officer
- 7.3. International Data Transfers
- 7.4. Record-Keeping
- 8. Summary of Your Data Processing Agreement
When complying with the EU General Data Protection Regulation (GDPR), you must make sure you only pass on your users' data to companies that are GDPR-compliant. And you're legally required to have a contract in place with any data processors - that is, anyone who processes personal data on your behalf.
This is where your Data Processing Agreement comes in.
This article will let you know what you'll need to include in this agreement to make sure it meets the GDPR's requirements.
What is a Data Processing Agreement?
A Data Processing Agreement (DPA) - also known as a data processing addendum - is a contract between data controllers and data processors or data processors and subprocessors. These agreements are intended to ensure that each entity in the partnership is operating in compliance with the GDPR or other applicable privacy laws in order to protect the interests of both parties.
For example, if you collect personal data from the users on your website, then use a third-party processor to handle some aspect of your business strategy, you would want to know that that data processor is operating within GDPR compliance and doing what they should be doing with the important data of your users.
Should your data processor break compliance, mishandle data, or fall victim to a data breach, a data processing agreement can protect you legally by proving that you did your due diligence to ensure that the company you partnered with was following proper procedures.
Without such a contract, responsibility and blame may fall on you for utilizing a third party without adequate policies and procedures in place. This could also affect your users who trusted you with their personal information.
Here's the introduction of Basecamp's DPA:
Data controllers should have a DPA in place with all of the data processors they use. Data processors should also have a data processing agreement with any subprocessors they use.
Essentially, if you share personal data that you have been trusted with with another company, a contract should be drawn up to ensure that everyone is handling that data properly.
Data Subjects, Data Controllers, and Data Processors
As noted, a Data Processing Agreement is a contract between a data controller and a data processor that covers how to handle the personal data of data subjects. These terms are defined in Article 4 of the GDPR:
- Data subjects are individual persons. They have "personal data" - information that can be used to identify them. This ranges from obvious information such as their names and addresses, to more obscure information like their IP addresses or internet browser data.
- A data controller is any person or organization that "determines the purposes and means of the processing of personal data." It decides why and how data subjects' personal data is processed. "Processing" personal data can mean all manner of things - collecting it, storing it, sharing it.
- A data processor is any person or organization that "processes personal data on behalf of the [data] controller." They don't have a direct relationship with the data subjects.
An individual could be a data subject, a data controller and a data processor - depending on their relationship to a set of personal data. A company that acts primarily as a data processor will also often be a data controller in some respects.
Let's put this into context. Imagine yourself, an individual (data subject), shopping online at an ecommerce store.
The ecommerce store asks you for your credit card details in order to take a payment. The store is the data controller. It's deciding the purpose (to sell you a product) and means (taking your credit card details) of processing your personal data.
You provide your credit card details via a payment service such as PayPal. Here, PayPal is the data processor. It processes the payment on behalf of the data controller - the ecommerce store.
Some other examples of data processors include companies that offer services in the following areas:
- Email marketing
- Market research
Who Needs a Data Processing Agreement?
Data controllers must have a Data Processing Agreement in place with any data processors they use. The agreement might be written by the controller or the processor. However, it is binding on both parties.
The GDPR brings new obligations for data processors. As the European Commission puts it, data processors can't "hide behind" their data controllers. But the main obligation to keep personal data safe falls on the data controller.
Recital 74 states that the data controller is liable for any data processing carried out on its behalf. So, it's in a data controller's interest to ensure this processing is done in a safe and legal way.
Under Article 28, a data processor is only permitted to process personal data "on documented instructions from the controller" (unless legally required to do otherwise). A data processor can also hire "subprocessors" to carry out data processing on its behalf, but only with written permission from its data controller. The processor is liable to the data controller for the actions of these subprocessors.
A Data Processing Agreement is a way to meet the requirements placed on both data controllers and processors.
Without a Data Processing Agreement or other written contract in place, it's illegal for a data controller to engage the services of a data processor, or for a data processor to process personal data on a data controller's behalf.
Data Processing Agreements for Small Businesses
While small business may not need as many or as thorough of data processing agreements, they should still have them if they use third-party services or data processors with whom they share the personal information of their users.
Data processing agreements are meant to protect both your company and its users from mishandling of personal data that could result in damages or lawsuits. A data processing agreement is just as necessary for small businesses as it is for large ones.
Small businesses often use third-parties or data processors to assist in areas that large companies might handle internally, such as payment processing and customer service.
If, for example, you run a small website and use a third-party service to process online payments, you will need to have a contract in place to ensure that your payment processor is handling the payment data of residents of the EU in compliance with the GDPR.
If your company is GDPR compliant, any data processors you use should be too, and that includes having a compliant data processing agreement in place.
FAQ: GDPR Data Processing Agreement
Here is a list of frequently asked questions that you may find useful.
Data controllers are required to have a GDPR Data Processing Agreement (DPA) in place when they use data processors.
This is because data controllers will be sharing legally-protected personal information with data processors during the course of this relationship, and a DPA will help ensure the data processor agrees to handle the data appropriately.
The GDPR requires that the following information be included in your data processing agreement:
- What information will be processed
- For how long that information will be processed
- Why the information is being processed/for what purpose
- The rights and responsibilities of the data controller
- A statement that the data processor should only act according to the written instructions from the data controller
- A statement that data processing is done confidentially
- A statement that proper security measures are in place during every step of the data processing
- A restriction that subprocessors can only be used with the data controller's knowledge and consent
- A note that data controllers and processors should work together to resolve subject access requests
- A statement that data controllers and processors should work together to protect the rights and privacy of data subjects
- The requirement that data processors must inform data controllers of data breaches
- The requirement that data processors should assist data controllers in data protection impact assessments where applicable
- The requirement that data processors erase or return the personal information from the data controller after the contract is complete
- A note that both data controllers and processors should be prepared for audits or inspections and assist one another as needed to prove legal compliance
- A note that both data processors and controllers should be on the lookout for any practices that violate the GDPR and should notify the other so that corrections can be made
- The data processor shall have a Data Protection Officer appointed as required by the GDPR
- The data processor shall keep records of processing activity
Make sure that both parties (you and the data processor) both validly sign the agreement to make it enforceable.
Mandatory Data Processing Agreement Clauses
There are certain clauses required in every Data Processing Agreement. We're going to take a look at some examples of these clauses within actual Data Processing Agreements.
Bear in mind that many of these are written by large data processors whose clients or customers are data controllers. This doesn't matter. While the wording will vary, these clauses are mandatory in any Data Processing Agreement, whether written by a data controller or data processor.
Information about the Data Processing
The Data Processing Agreement must be explicit about what it is that the data processor will actually be doing. For example, the following aspects of the data processing must be specified:
- Subject matter
Many Data Processing Agreements include of this information as a Schedule or Appendix at the end of the agreement.
Here's an example from DotDigital:
The duration of the agreement is sometimes referred to as its "term." This is not usually given in months or years. Instead, it stipulates the conditions on which the agreement will terminate. It's normal for a contract to include a clause like this. It's required in a Data Processing Agreement to ensure that data processors cannot process the personal data indefinitely.
Here's the relevant part of DotDigital's DPA:
And here's another example from Bitrix:
Here's part of a Data Processing Agreement from Voluum DSP where it sets out the nature and purposes of the processing it will carry out on behalf of data controllers:
Information about the Personal Data and Data Subjects
The Data Processing Agreement must include details about the categories of personal data and the categories of data subjects.
Here's an example from Virtual College that shows both the categories of data subjects and the types of personal data dealt with:
Obligations of the Data Controller
Whilst the focus of the agreement is on the data processor, the obligations of the data controller must also be made clear.
Here's an excerpt from this section of Huble Digital's agreement that covers obligations:
"Data exporter" means "data controller" in this particular agreement.
Note that the obligations aren't very specific at all. This clause works more as a general statement that obligates the data controller to follow the agreement and adhere to laws.
Obligations of the Data Processor
Most of the compulsory terms required in a Data Processing Agreement are obligations on the data processor. These are set out across Chapter 4 of the GDPR, with Article 28 being particularly important.
The processor must process personal data "only on documented instructions from the controller." This is the reason for the Data Processing Agreement itself, but it also needs to be explicitly stated within the agreement.
Here's an example from Questback's agreement:
"Customer" means "data controller" in this agreement because Questback is the processor for other companies, and these other companies are Questback's customers and data controllers in the relationship.
The processor must make sure "that persons authorised to process the personal data have committed themselves to confidentiality." Note that this is not the same as a non-disclosure agreement. It's primarily in place to protect the interests of data subjects - not the data processor or controller.
Here's an example of such a clause from SuperOffice:
"MSA" here is an abbreviation for Master Subscription Agreement - SuperOffice's main Terms & Conditions.
The processor must explicitly agree to comply with the obligations in Article 32 of the GDPR. This part of the GDPR is about the security of the data processing. It requires both data processors and data controllers to build certain security measures into their data processing activities.
Different Data Processing Agreements approach this with varying levels of detail.
For example, here's just one small part of this section from TimeTac's agreement:
Here's how Voluum DSP addresses this topic as well as data breach prevention:
Here's how Bitrix addresses security procedures for subprocessors, specifically:
The data processor "shall not engage another processor without prior specific or general written authorisation of the controller." Any such subprocessors are bound by the same level of obligations as the main processor under the Data Processing Agreement.
Note that hiring subprocessors is allowed under the general written agreement of the data controller. The Data Processing Agreement is where such written agreement can be set out.
Here's an example from SuperOffice:
There are a few points to note about this clause:
- The agreement gives the data processor permission to hire subprocessors.
- There are a number of checks and balances to ensure that the controller retains control over these sub-contractual agreements.
- The agreement states that subprocessors are bound by the same terms as the main processor.
- There's a list of pre-approved sub-processors.
A data controller must facilitate its data subjects' rights but it might need the data processor's help with this. This is because some of these rights involve accessing or deleting personal data which might be in the possession of the data processor, or restricting or stopping processing which might be being performed by the data processor.
Here's an example of this clause from Float:
The Data Processing Agreement also presents an opportunity to specify the time period in which a data processor must comply with such a request.
Data Protection Impact Assessments
The data controller must carry out a Data Protection Impact Assessment before undertaking any new high-risk data processing project. The processor is obliged to help with this if required.
Here's an example from Semrush:
Data Breach Notifications
The data controller must report any serious personal data breaches to its Data Protection Authority. The data processor has a part to play here, too. It must "notify the controller without undue delay after becoming aware of a personal data breach."
Here's what Debenhams requires of its data processors in the event of a data breach:
Note that the 72 hour deadline given here might be cutting it a little close. The controller has an obligation to report the breach to its Data Protection Authority within 72 hours. Receiving notification from its data processor towards the end of this period might cause it to miss this deadline.
Return or Deletion of Personal Data
Under Recital 81, "after the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data."
Here's how HubSpot's agreement complies with this:
The data processor must allow the data controller to conduct audits. These might be conducted by another organization, on the data controller's behalf. The Data Processing Agreement must permit this, but it can also establish the basis on which this may occur.
Here's an example from Virtual College, writing as the data processor. It grants the data controller permission to carry out audits - but also sets out the terms of this arrangement:
You can set your own terms here, so long as you do allow audits.
Other Data Processing Agreement Clauses
In addition to the mandatory clauses that the GDPR requires, you can also include other terms.
Remember that the Data Processing Agreement is a contract that will govern the way the data controller and data processor do business.
Like with any contract, it's good to set out the definitions of key terms at the start of your Data Processing Agreement. The aim is to keep the number of contractual grey areas to a minimum in the event of a dispute.
Some terms that you'll want to define include:
- Data controller
- Data processor
- Data subject
- Personal data
- Data protection law
Here's an excerpt from the definitions section of Inline Manual's Data Processing Agreement:
If you have any proprietary terms or words that you use in a way that isn't generally understood, define them so there aren't any miscommunications or issues with the terms.
Mandatory Data Protection Officer
It might be a good idea to insert this clause into your Data Protection Agreement if, for example, you're asking a data processor to process large amounts of special category data.
Here's the relevant section from Caci's Data Processing Agreement:
International Data Transfers
The GDPR has some strict rules about transferring personal data outside of the EU. But it is allowed, and will often occur between data controllers and their data processors, or between data processors and their subprocessors.
International data transfers can take place under certain conditions, including where the third country has received an adequacy decision from the European Commission.
Here's how Caci manages overseas transfers, making it so that the processor can't do so without prior written consent of the data controller:
The GDPR requires a data processor to keep records of its activities. Agreeing to this requirement is implicit in some of the clauses we've looked at above. But many Data Processing Agreements also include this as an explicit requirement on the data processor, together with the terms on which such records must be shared.
Here's an example from Voluum DSP:
As with any contract, it's wise to establish the jurisdiction in which disputes about the agreement will be settled (the "governing law"). Although the GDPR applies across EU countries (with some minor variations), the laws governing contracts may be very different in the countries where the data controller and data processor are based.
Here's an example from Planday's Data Processing Agreement:
Summary of Your Data Processing Agreement
Wherever data processing is performed by a data processor, it is essential to have a clear Data Processing Agreement in place. Not only is it a legal requirement, but it will also allow you to set the terms on which you do business, and reduce the opportunity for legal disputes.
Your Data Processing Agreement must include:
- Details of the subject matter, duration, nature, and purpose of the processing
- Details of the categories of personal data and data subjects
- Obligations of the data controller
- Obligations of the data processor, including:
- Only to act under the written instructions of the data controller
- To keep personal data confidential
- To comply with the GDPR's security requirements
- To assist the data controller in facilitating data subject rights
- To assist the data controller in conducting a Data Protection Impact Assessment if required
- To inform the data controller on becoming aware of a personal data breach
- To return to the data controller or delete any personal data on termination of the agreement
- To permit the data controller to conduct audits
- Any other applicable or optional clauses including:
- Definitions of key terms
- A requirement on the data processor to nominate a Data Protection Officer
- The conditions around international data transfers
- An explicit requirement on the data processor to keep data processing records
- The governing law under which disputes will be resolved