What you need to know about data processing agreements (DPAs)

A Data Processing Agreement (DPA) is essential for businesses that share personal data with third-party providers. A DPA outlines the obligations of both the data controller and the data processor, establishing clear rules for managing and safeguarding personal information. 

Here’s a guide to understanding what a DPA is, why it matters, and what it should include. It aims to enable smooth, ongoing data processing, protect users’ personal data, and ensure companies’ privacy compliance and operations.

What is a data processing agreement (DPA)?

A Data Processing Agreement (DPA) is a legally binding document established between two entities: a data controller and a data processor.

A controller is an entity that determines why and how personal data will be processed, while a processor handles personal data according to the controller’s instructions. In other words, a DPA specifies how a processor should handle and protect the controller’s data to support compliance with privacy laws.

DPAs are often used in relationships between companies and their service providers, such as cloud storage companies, payroll providers, or analytics platforms. They establish a framework for managing personal data and outline the rights and responsibilities of each party regarding data security, confidentiality, and regulatory compliance.

What’s the purpose of a DPA?

The main purpose of a DPA is to ensure that data processors handle personal data in accordance with the requirements of data protection regulations, frameworks, and policies. Here’s why DPAs are essential:

1. Clarifying roles and responsibilities: A DPA defines the duties of both the controller and processor, clarifying their responsibilities regarding data privacy and security.
2. Supporting privacy compliance: A DPA is foundational for meeting legal obligations under laws like the GDPR and CCPA, reducing the risk of violations and regulatory penalties.
3. Protecting individuals’ rights: By setting specific standards for data handling, a DPA helps safeguard personal privacy and data security.
4. Managing risk and liability: A DPA provides a legal framework that reduces liability for both parties, especially in cases involving data breaches or noncompliance.

Without a DPA, businesses lack the legal grounds to ensure that third-party processors follow necessary data protection standards. This can result in penalties and reputational damage. Under many data privacy laws, the data controller retains responsibility for the actions of third-party processors it contracts.

When is a data processing agreement required?

When working with third parties, data processing agreements are essential for responsibly handling personal data. A DPA is required whenever a company shares personal data with another party for tasks like cloud storage, payroll services, or any outsourced data processing.

A DPA should be established before any personal data processing begins. If you plan to upload customer data to a CRM, use third-party analytics, or even share data with an external partner by email, a DPA is necessary. 

Laws like the EU’s General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA) mandate these agreements to ensure that personal data is managed securely and responsibly. Beyond legal compliance, DPAs also clarify roles, set expectations, and create a framework for data protection.

How to create a DPA?

Creating a DPA is key to compliance with data protection regulations like the GDPR. In art. 24-43 GDPR outlines essential elements for a DPA, which we’ll cover in the next section.

To create a DPA, there are several methods you can choose from:

• Legal consultation: Engage a legal professional who specializes in data protection law to draft a custom DPA tailored to your specific needs.
• Managed solutions: Use specialized software or services that offer tools for DPA creation. These often feature templates and helpful guidance.
• Customizable templates: Start with a downloadable template and modify it to fit your needs, including all necessary clauses.

It’s worth noting that the EU’s GDPR website offers a free data processing template that you can customize and use as a starting point. 

Templates can provide a solid starting point, but seeking professional legal advice can add assurance and help protect your organization from potential liabilities.

What needs to be included in a data processing agreement?

A data processing agreement should cover the following essential areas:

1. Identify the signing parties: Recognize who is the data controller, and who is the data processor in this agreement.
2. Scope of data processing: Specify the type of data, the purpose for which it is processed, and any limitations on its use.
3. Security requirements: Outline technical and organizational measures (such as encryption and access controls) for protecting personal data.
4. Use of sub-processors: If the processor uses subcontractors for data processing, list them here and define terms for their access to data.
5. Data transfer restrictions: Define protocols and requirements for any data transfers, especially if data is moved outside the EU or other regions with strict privacy laws.
6. Data retention and deletion: Include requirements for how long data can be kept and ensure it is deleted or returned after processing is completed.
7. Liability clauses: Clarify which party bears responsibility in the case of data breaches or regulatory issues, including steps for notification.
8. Audit rights: Grant the data controller permission to periodically audit the processor’s compliance with the agreement.

These elements are essential for defining responsibilities and establishing a clear framework for managing data privacy risks.

As you draft your DPA, keep in mind the importance of specificity and clarity. Ensure that the agreement clearly defines what data will be processed and for what purposes. And that it fully complies with relevant data privacy laws.

Finally, regularly review and update your DPA to stay aligned with legal changes and evolving data practices.

Data processing agreement examples

Companies of all sizes must comply with relevant data privacy regulations, whether they work with a handful of third parties or many. Let’s look at a couple of examples of data processing agreements to see how big brands are meeting data privacy requirements.

LinkedIn’s data processing agreement

LinkedIn, owned by Microsoft, is the world’s largest professional network and has developed a detailed DPA that addresses key aspects of data protection.

Below is a screenshot of how they organize their agreement using a simple table of contents.

LinkedIn’s DPA is structured to prioritize clarity and transparency, beginning with a designation of roles that set responsibilities from the outset. In this case, LinkedIn is identified as the data processor, and the customer as the data controller.

LinkedIn emphasizes customer control over data by committing to only process personal data under documented instructions from the customer. To protect this data, LinkedIn outlines security measures within the DPA to ensure appropriate levels of protection.

Additionally, LinkedIn’s agreement includes provisions for prompt notification in the event of a data breach, enabling customers to quickly assess and mitigate potential risks. These types of notifications are also a requirement under many international data privacy laws.

For international compliance, the DPA incorporates clauses designed to ensure that data transfers outside the EEA are managed according to global standards of data protection.

Google’s data processing agreement

Google is another well-known company with numerous third-party partnerships that require DPAs. This agreement is particularly important for companies using Google Cloud services, as it supports compliance with various data protection regulations, including the GDPR.

Below is a screenshot of how they organize their agreement using a similar table of contents to LinkedIn’s.

Google’s DPA specifies that Google processes data solely for service provision and does not assess it for legal compliance, placing that responsibility on the customer. In the event of a data incident, Google commits to notifying customers promptly with detailed information, promoting transparency and risk management.

The DPA emphasizes Google’s security measures, including encryption and intrusion detection, while also highlighting customer obligations to protect their data. It clearly defines the roles of data controllers and processors, supporting both accountability and compliance audit processes.

Overall, Google’s DPA supports companies in navigating data protection requirements while offering high standards of security.

Who needs to sign a DPA?

Both a data controller and data processor must sign a DPA, as both parties share responsibility for safeguarding personal data. Particularly in jurisdictions with laws that place the burden of responsibility for data privacy and protection on the controller, it’s extra important that companies ensure robust DPAs are in place and kept up to date with all third-party processors.

Signing a DPA as a customer (controller)

As the controller, a business typically drafts or reviews the DPA to ensure that the processor will handle data responsibly and according to the controller’s instructions. The controller should carefully assess whether the DPA meets regulatory requirements and addresses any data privacy risks relevant to its operations. Before signing, businesses should confirm the processor’s security protocols and ability to comply with data protection laws.

Creating a DPA as a service provider (processor)

Service providers that process data on behalf of other companies also need to create and offer data processing agreements to their clients. The processor must ensure that the DPA clearly defines their security practices, data handling processes, and responsibilities for compliance with applicable regulations like the GDPR or CPRA. Processors should be transparent about their data protection methods and any subcontractors they employ, to provide clients with a reliable framework for data security. In addition to covering how data processing operations will work, DPAs should also cover how they will end, e.g. how data held by the processor will be deleted, returned, etc.

Which countries require a data processing agreement?

Data Processing Agreements are required by many countries with data protection laws, including:

• Brazil’s Lei Geral de Proteção de Dados (LGPD)
• European Union’s General Data Protection Regulation (GDPR)
• South Africa’s Protection of Personal Information Act (POPIA)
• Thailand’s Personal Data Protection Act (PDPA)
• The UK’s General Data Protection Regulation (UK GDPR)
• US state-level data privacy laws 
• Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
• Japan’s Act on the Protection of Personal Information (APPI)
• South Korea’s Personal Information Protection Act (PIPA)

Additionally, countries like Australia, New Zealand, Singapore, the Philippines, and Malaysia are adopting GDPR-like requirements, which may also require data processing agreements.

It’s worth noting that this list is not exhaustive, and it’s important to check local requirements depending on where your company is based.

What are the GDPR DPA requirements?

Under Art. 28 GDPR, controllers must establish agreements with processors to ensure secure and compliant processing of personal data. These agreements need to include the following information.

• Processors can only handle personal data as instructed by the controller, including following any rules about transferring data outside the EU.
• Processors must ensure that anyone handling the data keeps it confidential.
• The agreement should outline security measures to protect the data, such as encryption and access controls, as required by Art. 32 GDPR.
• Processors can’t hire another processor (sub-processor) without written permission from the controller.
• If a sub-processor is involved, they must follow the same data protection rules as the main processor.
• Processors must help the controller respond to data requests (DSARs), such as when someone asks for access, correction, or deletion of their data.
• When the contract ends, processors must either delete or return all personal data, unless they are legally required to keep it.
• Processors need to allow the controller to inspect their data practices to confirm GDPR compliance.
• Processors should also support the controller in meeting GDPR obligations, such as handling data security, breach notifications, and data protection assessments.

Additionally, some organizations are required to appoint a Data Protection Officer (DPO) under the GDPR. A DPO’s primary responsibility is to ensure ongoing compliance with GDPR requirements.

What are the CCPA/CPRA DPA requirements?

Under Section 1798.100(d) of the CCPA, now updated by the CPRA, businesses (also referred to as controllers) need contracts with third parties, service providers, and other contractors when they share consumers’ personal information. These contracts, similar to DPAs, must include the following information and requirements.

• Any personal information shared can only be used for the purposes specified in the agreement.
• The third party, service provider, or contractor must meet the same privacy standards required of the business under the law.
• Businesses have the right to make sure that the third party, service provider, or contractor handles personal information in line with the business’s legal obligations.
• If the third party, service provider, or contractor can no longer meet these privacy obligations, they must inform the business.
• Businesses have the right to take action to stop or fix any unauthorized use of personal information if they are notified of an issue.

Fines for not having a DPA

Failing to set up a DPA when required by law can lead to serious consequences, including breaches of data protection laws, substantial fines, and harm to a company’s reputation. Fines for noncompliance will depend on which privacy law(s) require your company’s compliance.

For example, under the GDPR, penalties for noncompliance are strict, and divided into two levels:

• For less serious breaches, organizations can face fines up to EUR 10 million or 2 percent of their total global annual revenue from the previous financial year, whichever is higher.
• For more serious breaches, fines can go up to EUR 20 million or 4 percent of the company’s total global annual revenue, whichever is higher.

These fines are enforced by data protection authorities in each EU member state, who assess the severity and nature of the violation.

However, under the CCPA/CPRA, businesses that violate it can face civil penalties of up to USD 2,500 per unintentional violation and up to USD 7,500 per intentional violation.

Protect user privacy using a data privacy agreement

Supporting your company’s compliance with data protection laws through a well-crafted DPA is not only often a legal requirement, but a crucial step in building trust with your customers.

By clearly defining roles, responsibilities, and data protection measures, a DPA helps protect both parties in the event of data breaches, user complaints, or regulatory scrutiny. By taking the time to draft and regularly update your DPA, setting clear expectations, and following data protection standards, you can reduce risks and strengthen your compliance efforts.

Prioritize your DPA to keep data secure and your reputation intact.

In addition to having a solid DPA, you can boost your data privacy strategy with tools like a website consent management platform (web CMP). Consent management ensures that you’re not only compliant but also transparent with users about how their data is collected and used, fostering greater trust.