GDPR Data Processing Agreement Template

GDPR Data Processing Agreement Template

Complying with the EU General Data Protection Regulation (GDPR) can take a lot of work. You have to make sure that you're processing your users' personal data transparently, storing it securely, and only asking them for the information that you actually need. But that's just part of what's required.

You're also responsible for ensuring that certain companies with whom you share your users' data treat it with the same level of respect as you would.

You must make sure you only pass on your users' data to companies that are GDPR-compliant. And you're legally required to have a contract in place with any data processors - that is, anyone who processes personal data on your behalf.

This is where your Data Processing Agreement comes in. Let's take a look at what you'll need to include in this agreement to make sure it meets the GDPR's requirements.


Data Subjects, Data Controllers, and Data Processors

Data Subjects, Data Controllers, and Data Processors

A Data Processing Agreement is a contract between a data controller and a data processor that covers how to handle the personal data of data subjects. These terms are defined in Article 4 of the GDPR:

  • Data subjects are individual persons. They have "personal data" - information that can be used to identify them. This ranges from obvious information such as their names and addresses, to more obscure information like their IP addresses or internet browser data.
  • A data controller is any person or organization that "determines the purposes and means of the processing of personal data." It decides why and how data subjects' personal data is processed. "Processing" personal data can mean all manner of things - collecting it, storing it, sharing it.
  • A data processor is any person or organization that "processes personal data on behalf of the [data] controller." They don't have a direct relationship with the data subjects.

An individual could be a data subject, a data controller and a data processor - depending on their relationship to a set of personal data. A company that acts primarily as a data processor will also often be a data controller in some respects.

Let's put this into context. Imagine yourself, an individual (data subject), shopping online at an ecommerce store.

The ecommerce store asks you for your credit card details in order to take a payment. The store is the data controller. It's deciding the purpose (to sell you a product) and means (taking your credit card details) of processing your personal data.

You provide your credit card details via a payment service such as PayPal. Here, PayPal is the data processor. It processes the payment on behalf of the data controller - the ecommerce store.

Some other examples of data processors include companies that offer services in the following areas:

  • Accounts
  • Payroll
  • Email marketing
  • Databases
  • Market research

Who Needs a Data Processing Agreement?

Who Needs a Data Processing Agreement?

Data controllers must have a Data Processing Agreement in place with any data processors they use. The agreement might be written by the controller or the processor. However, it is binding on both parties.

The GDPR brings new obligations for data processors. As the European Commission puts it, data processors can't "hide behind" their data controllers. But the main obligation to keep personal data safe falls on the data controller.

Recital 74 states that the data controller is liable for any data processing carried out on its behalf. So, it's in a data controller's interest to ensure this processing is done in a safe and legal way.

Under Article 28, a data processor is only permitted to process personal data "on documented instructions from the controller" (unless legally required to do otherwise). A data processor can also hire "subprocessors" to carry out data processing on its behalf, but only with written permission from its data controller. The processor is liable to the data controller for the actions of these subprocessors.

A Data Processing Agreement is a way to meet the requirements placed on both data controllers and processors.

Without a Data Processing Agreement or other written contract in place, it's illegal for a data controller to engage the services of a data processor, or for a data processor to process personal data on a data controller's behalf.

FAQ: GDPR Data Processing Agreement

Here is a list of frequently asked questions that you may find useful.

Data controllers are required to have a GDPR Data Processing Agreement (DPA) in place when they use data processors.

This is because data controllers will be sharing legally-protected personal information with data processors during the course of this relationship, and a DPA will help ensure the data processor agrees to handle the data appropriately.

The GDPR requires that the following information be included in your data processing agreement:

  • What information will be processed
  • For how long that information will be processed
  • Why the information is being processed/for what purpose
  • The rights and responsibilities of the data controller
  • A statement that the data processor should only act according to the written instructions from the data controller
  • A statement that data processing is done confidentially
  • A statement that proper security measures are in place during every step of the data processing
  • A restriction that subprocessors can only be used with the data controller's knowledge and consent
  • A note that data controllers and processors should work together to resolve subject access requests
  • A statement that data controllers and processors should work together to protect the rights and privacy of data subjects
  • The requirement that data processors must inform data controllers of data breaches
  • The requirement that data processors should assist data controllers in data protection impact assessments where applicable
  • The requirement that data processors erase or return the personal information from the data controller after the contract is complete
  • A note that both data controllers and processors should be prepared for audits or inspections and assist one another as needed to prove legal compliance
  • A note that both data processors and controllers should be on the lookout for any practices that violate the GDPR and should notify the other so that corrections can be made
  • The data processor shall have a Data Protection Officer appointed as required by the GDPR
  • The data processor shall keep records of processing activity

Make sure that both parties (you and the data processor) both validly sign the agreement to make it enforceable.


Mandatory Data Processing Agreement Clauses

Mandatory Data Processing Agreement Clauses

There are certain clauses required in every Data Processing Agreement. We're going to take a look at some examples of these clauses within actual Data Processing Agreements.

Bear in mind that many of these are written by large data processors whose clients or customers are data controllers. This doesn't matter. While the wording will vary, these clauses are mandatory in any Data Processing Agreement, whether written by a data controller or data processor.

Information about the Data Processing

The Data Processing Agreement must be explicit about what it is that the data processor will actually be doing. For example, the following aspects of the data processing must be specified:

  • Subject matter
  • Duration
  • Nature
  • Purpose

Many Data Processing Agreements include of this information as a Schedule or Appendix at the end of the agreement.

Here's an example from Dotmailer:

Dotmailer Data Processing Addendum: Excerpt of Schedule 1 Data Processing Detai

The duration of the agreement is sometimes referred to as its "term." This is not usually given in months or years. Instead, it stipulates the conditions on which the agreement will terminate. It's normal for a contract to include a clause like this. It's required in a Data Processing Agreement to ensure that data processors cannot process the personal data indefinitely.

Here's the relevant part of a Data Processing Agreement from SEMrush:

SEMrush Data Processing Agreement: Term and termination clause

Here's part of a Data Processing Agreement from Voluum (Codewise) where it sets out the nature and purposes of the processing it will carry out on behalf of data controllers:

Voluum Data Processing Agreement: Clause discussing purposes for processing personal data

Information about the Personal Data and Data Subjects

The Data Processing Agreement must include details about the categories of personal data and the categories of data subjects. Here's an example from Virtual College:

Virtual College Data Processing Agreement: Categories of Data Subjects and Types of Personal Data clause

Here's how Bitrix24 displays the categories of personal data covered by its agreement:

Bitrix Data Processing Agreement: Types of Personal Data clause

Try to cover as much of the personal data as possible here. Note how Bitrix starts its clause by saying its Customer Personal Data "may" include the types of data listed. This makes it clear that not every type of data on the list will necessarily be processed, but that it may be.

Obligations of the Data Controller

Whilst the focus of the agreement is on the data processor, the obligations of the data controller must also be made clear.

Here's an excerpt from this section of The B2B Marketing Lab's agreement that covers obligations:

B2B Marketing Labs Data Processing Agreement: Obligations of the data exporter clause

"Data exporter" means "data controller" in this particular agreement.

Note that the obligations aren't very specific at all. This clause works more as a general statement that obligates the data controller to follow the agreement and adhere to laws.

Obligations of the Data Processor

Most of the compulsory terms required in a Data Processing Agreement are obligations on the data processor. These are set out across Chapter 4 of the GDPR, with Article 28 being particularly important.

Written Instructions

The processor must process personal data "only on documented instructions from the controller." This is the reason for the Data Processing Agreement itself, but it also needs to be explicitly stated within the agreement.

Here's an example from Questback's agreement:

Questback Data Processing Agreement: Processor clause addressing written instructions

"Customer" means "data controller" in this agreement because Questback is the processor for other companies, and these other companies are Questback's customers and data controllers in the relationship.

Confidentiality

The processor must make sure "that persons authorised to process the personal data have committed themselves to confidentiality." Note that this is not the same as a non-disclosure agreement. It's primarily in place to protect the interests of data subjects - not the data processor or controller.

Here's an example of such a clause from SuperOffice:

SuperOffice Data Processing Agreement and NDA: Confidentiality clause

"MSA" here is an abbreviation for Master Subscription Agreement - SuperOffice's main Terms & Conditions.

Security

The processor must explicitly agree to comply with the obligations in Article 32 of the GDPR. This part of the GDPR is about the security of the data processing. It requires both data processors and data controllers to build certain security measures into their data processing activities.

Different Data Processing Agreements approach this with varying levels of detail. For example, here's just one small part of this section from TimeTac's agreement:

TimeTac Data Processing Agreement: Integrity clause for data transfer and data entry control

And here's how Sendmate's agreement addresses this obligation:

Sendmate Data Processing Agreement: Data Security clause

Note that both clauses mention Article 32 of the GDPR.

Subprocessors

The data processor "shall not engage another processor without prior specific or general written authorisation of the controller." Any such subprocessors are bound by the same level of obligations as the main processor under the Data Processing Agreement.

Note that hiring subprocessors is allowed under the general written agreement of the data controller. The Data Processing Agreement is where such written agreement can be set out.

Here's an example from Trustpilot:

Trustpilot Data Processing Agreement: Subprocessors clause

There are a few points to note about Trustpilot's subprocessors clause:

  • The agreement (written by Trustpilot, as the data processor) gives the data processor blanket permission to hire subprocessors.
  • There are a number of checks and balances to ensure that the controller retains control over these sub-contractual agreements.
  • The agreement states that subprocessors are bound by the same terms as the main processor.
  • The data processor explicitly accepts liability for the actions of the subprocessor. This is a key principle of this part of the GDPR.

Data Rights

The data processor must agree to help the data controller to facilitate data subject rights. There are eight of these, set out across Chapter 3 of the GDPR.

A data controller must facilitate its data subjects' rights but it might need the data processor's help with this. This is because some of these rights involve accessing or deleting personal data which might be in the possession of the data processor, or restricting or stopping processing which might be being performed by the data processor.

Here's an example of this clause from Float:

Float Data Processing Agreement: Data Subject Requests clause

The Data Processing Agreement also presents an opportunity to specify the time period in which a data processor must comply with such a request.

Data Protection Impact Assessments

The data controller must carry out a Data Protection Impact Assessment before undertaking any new high-risk data processing project. The processor is obliged to help with this if required.

Here's an example from PayByLink's agreement:

PayByLink Data Processing Agreement: Data Protection Impact Assessment clause

Data Breach Notifications

The data controller must report any serious personal data breaches to its Data Protection Authority. The data processor has a part to play here, too. It must "notify the controller without undue delay after becoming aware of a personal data breach."

Here's what Debenhams requires of its data processors in the event of a data breach:

Debenhams Data Processing Agreement: Breach requirements clause

Note that the 72 hour deadline given here might be cutting it a little close. The controller has an obligation to report the breach to its Data Protection Authority within 72 hours. Receiving notification from its data processor towards the end of this period might cause it to miss this deadline.

Return or Deletion of Personal Data

Under Recital 81, "after the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data."

Here's how HubSpot's agreement complies with this:

HubSpot Data Processing Agreement: Deletion or Retrieval of Personal Data clause

Audits

The data processor must allow the data controller to conduct audits. These might be conducted by another organization, on the data controller's behalf. The Data Processing Agreement must permit this, but it can also establish the basis on which this may occur.

Here's an example from Capsule, writing as the data processor. It grants the data controller permission to carry out audits - but also sets out the terms of this arrangement.

Capsule Data Processing Agreement: Audit clause

You can set your own terms here, so long as you do allow audits.

Other Data Processing Agreement Clauses

Other Data Processing Agreement Clauses

In addition to the mandatory clauses that the GDPR requires, you can also include other terms.

Remember that the Data Processing Agreement is a contract that will govern the way the data controller and data processor do business.

Definitions

Like with any contract, it's good to set out the definitions of key terms at the start of your Data Processing Agreement. The aim is to keep the number of contractual grey areas to a minimum in the event of a dispute.

Some terms that you'll want to define include:

  • Data controller
  • Data processor
  • Data subject
  • Subprocessor
  • Personal data
  • Processing
  • Data protection law

Here's an excerpt from the definitions section of Inline Manual's Data Processing Agreement:

Inline Manual Data Processing Agreement: Definitions clause excerpt

If you have any proprietary terms or words that you use in a way that isn't generally understood, define them so there aren't any miscommunications or issues with the terms.

Mandatory Data Protection Officer

Under Article 37, certain organizations need to appoint a Data Protection Officer. Some Data Processing Agreements place a requirement on the data processor to do this.

It might be a good idea to insert this clause into your Data Protection Agreement if, for example, you're asking a data processor to process large amounts of special category data.

Here's the relevant section from Caci's Data Processing Agreement:

Caci Supplemental GDPR Clauses: Processor's other obligations - DPO

International Data Transfers

The GDPR has some strict rules about transferring personal data outside of the EU. But it is allowed, and will often occur between data controllers and their data processors, or between data processors and their subprocessors.

International data transfers can take place under certain conditions, including where the third country has received an adequacy decision from the European Commission. The United States has not received an adequacy decision - but transfers are allowed where the recipient US company is part of the Privacy Shield Framework.

Here's how Edgecumbe manages international transfers in its Data Processing Agreement. This is addressed to subprocessors, but it could equally be addressed to a data processor.

Edgecumbe Data Processing Agreement: Transfer to third countries clause

Record-Keeping

The GDPR requires a data processor to keep records of its activities. Agreeing to this requirement is implicit in some of the clauses we've looked at above. But many Data Processing Agreements also include this as an explicit requirement on the data processor, together with the terms on which such records must be shared.

Here's an example from Sleeknote:

Sleeknote Data Processing Agreement: Recordkeeping requirement clause

Governing Law

As with any contract, it's wise to establish the jurisdiction in which disputes about the agreement will be settled (the "governing law"). Although the GDPR applies across EU countries (with some minor variations), the laws governing contracts may be very different in the countries where the data controller and data processor are based.

Here's an example from Planday's Data Processing Agreement:

Planday Data Processing Agreement: Governing law clause

Summary of Your Data Processing Agreement

Summary of Your Data Processing Agreement

Wherever data processing is performed by a data processor, it is essential to have a clear Data Processing Agreement in place. Not only is it a legal requirement, but it will also allow you to set the terms on which you do business, and reduce the opportunity for legal disputes.

Your Data Processing Agreement must include:

  • Details of the subject matter, duration, nature, and purpose of the processing
  • Details of the categories of personal data and data subjects
  • Obligations of the data controller
  • Obligations of the data processor, including:
    • Only to act under the written instructions of the data controller
    • To keep personal data confidential
    • To comply with the GDPR's security requirements
    • To assist the data controller in facilitating data subject rights
    • To assist the data controller in conducting a Data Protection Impact Assessment if required
    • To inform the data controller on becoming aware of a personal data breach
    • To return to the data controller or delete any personal data on termination of the agreement
    • To permit the data controller to conduct audits
  • Any other applicable or optional clauses including:
    • Definitions of key terms
    • A requirement on the data processor to nominate a Data Protection Officer
    • The conditions around international data transfers
    • An explicit requirement on the data processor to keep data processing records
    • The governing law under which disputes will be resolved
Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.