Last updated on 25 April 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
Complying with the EU General Data Protection Regulation (GDPR) can take a lot of work. You have to make sure that you're processing your users' personal data transparently, storing it securely, and only asking them for the information that you actually need. But that's just part of what's required.
You're also responsible for ensuring that certain companies with whom you share your users' data treat it with the same level of respect as you would.
You must make sure you only pass on your users' data to companies that are GDPR-compliant. And you're legally required to have a contract in place with any data processors - that is, anyone who processes personal data on your behalf.
This is where your Data Processing Agreement comes in. Let's take a look at what you'll need to include in this agreement to make sure it meets the GDPR's requirements.
A Data Processing Agreement (DPA) - also known as a data processing addendum - is a contract between data controllers and data processors or data processors and subprocessors.
These agreements are intended to ensure that each entity in the partnership is operating in compliance with the GDPR or other applicable privacy laws in order to protect the interests of both parties.
For example, if you collect personal data from the users on your website, then use a third-party processor to handle some aspect of your business strategy, you would want to know that that data processor is operating within GDPR compliance and doing what they should be doing with the important data of your users.
Should your data processor break compliance, mishandle data, or fall victim to a data breach, a data processing agreement can protect you legally by proving that you did your due diligence to ensure that the company you partnered with was following proper procedures.
Without such a contract, responsibility and blame may fall on you for utilizing a third party without adequate policies and procedures in place. This could also affect your users who trusted you with their personal information.
Here's the introduction of Basecamp's DPA:
Data controllers should have a DPA in place with all of the data processors they use. Data processors should also have a data processing agreement with any subprocessors they use.
Essentially, if you share personal data that you have been trusted with with another company, a contract should be drawn up to ensure that everyone is handling that data properly.
As noted, a Data Processing Agreement is a contract between a data controller and a data processor that covers how to handle the personal data of data subjects. These terms are defined in Article 4 of the GDPR:
An individual could be a data subject, a data controller and a data processor - depending on their relationship to a set of personal data. A company that acts primarily as a data processor will also often be a data controller in some respects.
Let's put this into context. Imagine yourself, an individual (data subject), shopping online at an ecommerce store.
The ecommerce store asks you for your credit card details in order to take a payment. The store is the data controller. It's deciding the purpose (to sell you a product) and means (taking your credit card details) of processing your personal data.
You provide your credit card details via a payment service such as PayPal. Here, PayPal is the data processor. It processes the payment on behalf of the data controller - the ecommerce store.
Some other examples of data processors include companies that offer services in the following areas:
Data controllers must have a Data Processing Agreement in place with any data processors they use. The agreement might be written by the controller or the processor. However, it is binding on both parties.
The GDPR brings new obligations for data processors. As the European Commission puts it, data processors can't "hide behind" their data controllers. But the main obligation to keep personal data safe falls on the data controller.
Recital 74 states that the data controller is liable for any data processing carried out on its behalf. So, it's in a data controller's interest to ensure this processing is done in a safe and legal way.
Under Article 28, a data processor is only permitted to process personal data "on documented instructions from the controller" (unless legally required to do otherwise). A data processor can also hire "subprocessors" to carry out data processing on its behalf, but only with written permission from its data controller. The processor is liable to the data controller for the actions of these subprocessors.
A Data Processing Agreement is a way to meet the requirements placed on both data controllers and processors.
Without a Data Processing Agreement or other written contract in place, it's illegal for a data controller to engage the services of a data processor, or for a data processor to process personal data on a data controller's behalf.
While small business may not need as many or as thorough of data processing agreements, they should still have them if they use third-party services or data processors with whom they share the personal information of their users.
Data processing agreements are meant to protect both your company and its users from mishandling of personal data that could result in damages or lawsuits. A data processing agreement is just as necessary for small businesses as it is for large ones.
Small businesses often use third-parties or data processors to assist in areas that large companies might handle internally, such as payment processing and customer service.
If, for example, you run a small website and use a third-party service to process online payments, you will need to have a contract in place to ensure that your payment processor is handling the payment data of residents of the EU in compliance with the GDPR.
If your company is GDPR compliant, any data processors you use should be too, and that includes having a compliant data processing agreement in place.
Here is a list of frequently asked questions that you may find useful.
Data controllers are required to have a GDPR Data Processing Agreement (DPA) in place when they use data processors.
This is because data controllers will be sharing legally-protected personal information with data processors during the course of this relationship, and a DPA will help ensure the data processor agrees to handle the data appropriately.
There are certain clauses required in every Data Processing Agreement. We're going to take a look at some examples of these clauses within actual Data Processing Agreements.
Bear in mind that many of these are written by large data processors whose clients or customers are data controllers. This doesn't matter. While the wording will vary, these clauses are mandatory in any Data Processing Agreement, whether written by a data controller or data processor.
The Data Processing Agreement must be explicit about what it is that the data processor will actually be doing. For example, the following aspects of the data processing must be specified:
Many Data Processing Agreements include of this information as a Schedule or Appendix at the end of the agreement.
Here's an example from DotDigital:
The duration of the agreement is sometimes referred to as its "term." This is not usually given in months or years. Instead, it stipulates the conditions on which the agreement will terminate. It's normal for a contract to include a clause like this. It's required in a Data Processing Agreement to ensure that data processors cannot process the personal data indefinitely.
Here's the relevant part of DotDigital's DPA:
And here's another example from Bitrix:
Here's part of a Data Processing Agreement from Voluum DSP where it sets out the nature and purposes of the processing it will carry out on behalf of data controllers:
The Data Processing Agreement must include details about the categories of personal data and the categories of data subjects.
Here's an example from Virtual College that shows both the categories of data subjects and the types of personal data dealt with:
Whilst the focus of the agreement is on the data processor, the obligations of the data controller must also be made clear.
Here's an excerpt from this section of Huble Digital's agreement that covers obligations:
"Data exporter" means "data controller" in this particular agreement.
Note that the obligations aren't very specific at all. This clause works more as a general statement that obligates the data controller to follow the agreement and adhere to laws.
Most of the compulsory terms required in a Data Processing Agreement are obligations on the data processor. These are set out across Chapter 4 of the GDPR, with Article 28 being particularly important.
The processor must process personal data "only on documented instructions from the controller." This is the reason for the Data Processing Agreement itself, but it also needs to be explicitly stated within the agreement.
Here's an example from Questback's agreement:
"Customer" means "data controller" in this agreement because Questback is the processor for other companies, and these other companies are Questback's customers and data controllers in the relationship.
The processor must make sure "that persons authorised to process the personal data have committed themselves to confidentiality." Note that this is not the same as a non-disclosure agreement. It's primarily in place to protect the interests of data subjects - not the data processor or controller.
Here's an example of such a clause from SuperOffice:
"MSA" here is an abbreviation for Master Subscription Agreement - SuperOffice's main Terms & Conditions.
The processor must explicitly agree to comply with the obligations in Article 32 of the GDPR. This part of the GDPR is about the security of the data processing. It requires both data processors and data controllers to build certain security measures into their data processing activities.
Different Data Processing Agreements approach this with varying levels of detail.
For example, here's just one small part of this section from TimeTac's agreement:
Here's how Voluum DSP addresses this topic as well as data breach prevention:
Here's how Bitrix addresses security procedures for subprocessors, specifically:
The data processor "shall not engage another processor without prior specific or general written authorisation of the controller." Any such subprocessors are bound by the same level of obligations as the main processor under the Data Processing Agreement.
Note that hiring subprocessors is allowed under the general written agreement of the data controller. The Data Processing Agreement is where such written agreement can be set out.
Here's an example from SuperOffice:
There are a few points to note about this clause:
A data controller must facilitate its data subjects' rights but it might need the data processor's help with this. This is because some of these rights involve accessing or deleting personal data which might be in the possession of the data processor, or restricting or stopping processing which might be being performed by the data processor.
Here's an example of this clause from Float:
The Data Processing Agreement also presents an opportunity to specify the time period in which a data processor must comply with such a request.
The data controller must carry out a Data Protection Impact Assessment before undertaking any new high-risk data processing project. The processor is obliged to help with this if required.
Here's an example from Semrush:
The data controller must report any serious personal data breaches to its Data Protection Authority. The data processor has a part to play here, too. It must "notify the controller without undue delay after becoming aware of a personal data breach."
Here's what Debenhams requires of its data processors in the event of a data breach:
Note that the 72 hour deadline given here might be cutting it a little close. The controller has an obligation to report the breach to its Data Protection Authority within 72 hours. Receiving notification from its data processor towards the end of this period might cause it to miss this deadline.
Under Recital 81, "after the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data."
Here's how HubSpot's agreement complies with this:
The data processor must allow the data controller to conduct audits. These might be conducted by another organization, on the data controller's behalf. The Data Processing Agreement must permit this, but it can also establish the basis on which this may occur.
Here's an example from Virtual College, writing as the data processor. It grants the data controller permission to carry out audits - but also sets out the terms of this arrangement:
You can set your own terms here, so long as you do allow audits.
In addition to the mandatory clauses that the GDPR requires, you can also include other terms.
Remember that the Data Processing Agreement is a contract that will govern the way the data controller and data processor do business.
Like with any contract, it's good to set out the definitions of key terms at the start of your Data Processing Agreement. The aim is to keep the number of contractual grey areas to a minimum in the event of a dispute.
Some terms that you'll want to define include:
Here's an excerpt from the definitions section of Inline Manual's Data Processing Agreement:
If you have any proprietary terms or words that you use in a way that isn't generally understood, define them so there aren't any miscommunications or issues with the terms.
It might be a good idea to insert this clause into your Data Protection Agreement if, for example, you're asking a data processor to process large amounts of special category data.
Here's the relevant section from Caci's Data Processing Agreement:
The GDPR has some strict rules about transferring personal data outside of the EU. But it is allowed, and will often occur between data controllers and their data processors, or between data processors and their subprocessors.
International data transfers can take place under certain conditions, including where the third country has received an adequacy decision from the European Commission.
Here's how Caci manages overseas transfers, making it so that the processor can't do so without prior written consent of the data controller:
The GDPR requires a data processor to keep records of its activities. Agreeing to this requirement is implicit in some of the clauses we've looked at above. But many Data Processing Agreements also include this as an explicit requirement on the data processor, together with the terms on which such records must be shared.
Here's an example from Voluum DSP:
As with any contract, it's wise to establish the jurisdiction in which disputes about the agreement will be settled (the "governing law"). Although the GDPR applies across EU countries (with some minor variations), the laws governing contracts may be very different in the countries where the data controller and data processor are based.
Here's an example from Planday's Data Processing Agreement:
Wherever data processing is performed by a data processor, it is essential to have a clear Data Processing Agreement in place. Not only is it a legal requirement, but it will also allow you to set the terms on which you do business, and reduce the opportunity for legal disputes.
Your Data Processing Agreement must include: