What Is a Data Processing Agreement?
A Data Processing Agreement (DPA) is a legally binding contract that establishes the rights and obligations between a data controller and a data processor regarding the processing of personal data. It ensures that personal data is handled in compliance with data protection laws, particularly the GDPR.
DPAs are essential because they allocate responsibility for data protection between parties. When you share personal data with another organization to process it on your behalf, a DPA ensures that organization protects that data adequately.
DPA Key Facts
- Legal Basis: GDPR Article 28
- Parties: Controller (you) and Processor (vendor)
- Purpose: Define data processing rules and responsibilities
- Required: When processing personal data on behalf of others
- Enforcement: Can lead to regulatory fines if missing
When Do You Need a DPA?
You need a DPA whenever you engage another organization to process personal data on your behalf. This includes:
Common Scenarios Requiring DPAs
- Cloud Services: SaaS platforms, cloud hosting, storage
- Analytics: Google Analytics, Mixpanel, similar tools
- Marketing: Email marketing platforms, CRM systems
- Payment Processing: Payment gateways, processors
- Customer Support: Helpdesk software, chat platforms
- HR/Payroll: Payroll providers, HR systems
- Development: Software vendors, IT support
- Data Analysis: Data warehouses, BI tools
Key Question
Ask yourself: "Does this vendor process personal data on our behalf for a specific purpose?"
If yes, you likely need a DPA. This includes any service where:
- The vendor accesses personal data you collect
- The vendor processes data according to your instructions
- The vendor determines how to process the data only as you direct
Important
Even free tools often process personal data and may require DPAs. Review your entire vendor stack, not just paid services, to ensure all data processing relationships are covered.
GDPR Article 28 Requirements
Article 28 of the GDPR specifies what must be included in a Data Processing Agreement. These are mandatory requirements, not suggestions.
Mandatory DPA Elements
Article 28(3) requires the processing to be governed by a contract (or other legal act) that includes:
1. Subject Matter and Duration
- Subject matter: What the processing involves
- Duration: How long processing will occur
- Nature and purpose: Why the processing happens
2. Type of Personal Data and Data Subjects
- Categories of data: What types of personal data
- Data subjects: Whose data (employees, customers, etc.)
- Special categories: Any sensitive or protected data
3. Controller's Rights and Obligations
The contract must specify that the controller:
- Will only provide processing instructions that comply with law
- Ensures data subjects can enforce their rights through the controller
- Will make appropriate arrangements for lawful processing
4. Processor Obligations
The processor must commit to:
- Process only on documented instructions
- Ensure confidentiality of personnel
- Implement appropriate security measures
- Engage sub-processors only with controller consent
- Assist controller with data subject requests
- Assist with GDPR compliance (security, breach, DPIA)
- Delete or return data at end of contract
- Make information available for audits
Key Clauses Required in a DPA
A comprehensive DPA should include these essential clauses:
Essential Clauses
- Definitions and interpretations
- Subject matter and scope of processing
- Duration of processing
- Nature and purpose of processing
- Categories of data subjects
- Types of personal data
- Controller obligations
- Processor obligations
Operational Clauses
- Data security and confidentiality
- Personnel and training
- Sub-processor authorization
- Data subject rights assistance
- Compliance assistance
- Audit and inspection rights
- Data breach notification
- Data return and deletion
Data Security Requirements
Your DPA should specify appropriate technical and organizational measures, including:
- Pseudonymization and encryption
- Confidentiality, integrity, availability systems
- Timely restoration capabilities
- Regular testing of security measures
Breach Notification
Include requirements for:
- Notification timeframe (typically 24-72 hours)
- Information to be provided
- Documentation requirements
- Communication procedures
Controller vs Processor vs Sub-Processor
Understanding these roles is crucial for proper DPA drafting:
Data Controller
Determines the purposes and means of processing:
- Decides why and how data is processed
- Owns the data relationship with data subjects
- Determines what data to collect
- Must have lawful basis for processing
- Responsible for compliance with data subject rights
Data Processor
Processes data on behalf of the controller:
- Processes data only on controller's instructions
- Cannot determine purposes of processing
- Must follow DPA terms
- Responsible to controller for compliance
- Cannot engage another processor without consent
Sub-Processor
A processor engaged by another processor:
- Engaged by the main processor (not controller)
- Same obligations as processor under original DPA
- Controller must be informed of changes
- Original processor remains responsible to controller
| Role | Key Responsibility | Signs DPA With |
|---|---|---|
| Controller | Determines processing purposes | Processor |
| Processor | Processes on controller's instructions | Controller + Sub-processors |
| Sub-processor | Processes on processor's instructions | Processor |
Sub-Processor Management
When your processor engages sub-processors, you need protections:
Prior Authorization Requirement
Processors can only engage sub-processors with:
- General written consent: Pre-authorized list of sub-processors
- Specific written consent: Informed of each new sub-processor
Chain of Liability
The processor remains fully responsible to the controller for:
- Sub-processor's performance
- Sub-processor's compliance with DPA terms
- All data protection obligations
Your DPA Should Require
- Notification of new sub-processors
- Opportunity to object
- Contractual restrictions on sub-processors
- Right to audit sub-processors
Best Practice
Maintain a list of approved sub-processors and review it quarterly. When processors add new sub-processors, ensure your contract gives you adequate notice and objection rights before processing begins.
International Data Transfers in DPAs
When processors transfer data outside the EU/EEA, additional provisions are needed:
Transfer Mechanisms
Your DPA should address how international transfers are handled:
- EU Standard Contractual Clauses (SCCs): Required for transfers without adequacy
- Binding Corporate Rules (BCRs): For intra-group transfers
- Adequacy Decisions: Countries with EU-approved protections
- Transfer Impact Assessments: Evaluate destination country's law
DPA Transfer Provisions
Include in your DPA:
- Representation that transfers comply with law
- Description of transfer mechanisms used
- Requirements for supplementary measures
- Notification of legal changes affecting transfers
- Deletion/return if transfer becomes illegal
Post-Schrems II Considerations
Following the Schrems II ruling that invalidated the EU-US Privacy Shield:
- Conduct transfer impact assessments
- Implement technical and organizational supplementary measures
- Monitor for new adequacy decisions
- Consider EU-US Data Privacy Framework when available
DPA Best Practices
Follow these practices to ensure adequate data protection:
1. Inventory Your Processors
- Map all vendors that process personal data
- Categorize by data sensitivity and risk
- Prioritize high-risk processors
- Review contracts annually
2. Review Standard Contract Terms
- Many vendors offer "standard" DPAs
- Review for compliance with Article 28
- Negotiate changes where needed
- Don't accept terms that limit your rights
3. Ensure Adequate Security
- Specify appropriate security measures
- Require encryption where possible
- Include audit rights
- Require breach notification timelines
4. Document Everything
- Keep signed DPAs on file
- Document processing activities
- Maintain records of sub-processors
- Track contract renewal dates
5. Conduct Due Diligence
- Review vendor security practices before signing
- Check for certifications (ISO 27001, SOC 2)
- Assess data handling procedures
- Verify sub-processor management
6. Plan for Termination
- Include data return/deletion provisions
- Specify return format and timeline
- Address post-termination data handling
- Include transition assistance requirements
Analyze Your Privacy Policy
Use PolicyLens to verify your privacy policy addresses data processing relationships and that your vendor contracts include required DPA provisions.
Analyze Your Policy Free