Back to Legal and Ethical Considerations

What is a Data Processing Agreement (DPA)? 

5 min to read

Data Processing Agreements, also known as DPAs, are contracts that outline what two parties are responsible for when processing personal information. The contract is legally binding, and it’s important to ensure that both rights and requirements are covered.

When developing DPAs, you should ensure that processing durations – along with the reasons why you’re processing data – are outlined. Data controllers and processor rights/obligations also need to be covered.

If you operate in the European Economic Area (EEA), you will need a DPA to comply with GDPR. You should also have an agreement of this kind if you operate in jurisdictions with specific data privacy laws (e.g. California and the UK). Although mainly associated with regulations like GDPR, having a DPA is a good general business practice.

Pro Tip:
DPAs are particularly important when controllers work with processors for personal data.
Key Takeaways:
  • Use data processing agreements (DPAs) so that everyone understands roles, responsibilities, and rights
  • Your DPAs are an essential part of regulatory compliance, especially for controllers/data processors
  • Develop robust DPAs outlining breach handling, subject rights, scope, etc
Hocoos small logo Answers Legal and Ethical Considerations

What is a Data Processing Agreement (DPA)? 

Who needs a DPA and why? 

Organizations of all sizes need a DPA if they work with third-party processors and are classed as a “data controller” themselves. These agreements define the legal requirements and procedures related to the protection of personal information

You particularly need DPAs when complying with different data laws for the following reasons: 

  • Avoiding sanctions or fines related to data privacy violations can be achieved by adhering to relevant regulations.

  • To outline how processors and controllers will work together. This includes outlining the data you will process and your reasons for doing so. 

What are the key elements of a Data Processing Agreement (DPA)? 

DPAs will slightly differ from organization to organization, but their general principles are similar. Some of the main elements of a DPA are:

  • Purpose: Outline the data you plan to process and why you need to. 

  • Rights/responsibilities: Identify what each party is responsible for, and the rights they have throughout the process. 

  • Essential measures: Outline the company-wide measures you’ve taken to safeguard data. You should also mention which technical measures you’re using to protect data (e.g. implementing multi-factor authentication).  

  • Data breach provisions: Outline what you’ll do if a data breach occurs and take the necessary steps to stop one from happening. 

  • Data subject rights: Identify the rights of the person whose data you’re using. 

Spend time to create a clear DPA that covers all angles; this is essential for building trust.

Pro Tip: 
Consult a legal professional specializing in your jurisdiction before crafting a DPA. 

What are the processor’s data handling obligations in a DPA? 

Processor handling obligations identify what the data processor is responsible for while handling data. These usually cover the various elements. 

  • The processor is responsible for following all controller instructions. 

  • The processor is responsible for keeping data confidential. 

  • The processor must help the controller fulfill their own data protection requirements. 

  • The processor could be liable for any data breach. 

  • The controller can audit the processor at any time. 

  • The processor might need to give the controller further information about how it’s processing data.

How does a DPA protect data subject rights? 

Data Protection Agreements (DPAs) outline the duties and rights of both data processors and controllers, which can contribute to safeguarding data subject rights. These documents are developed in line with regulations, and they create a framework for responsible data processing. By outlining obligations and rights, DPAs form a key part of transparency procedures. 

DPAs are also important for respecting data subject requests. This documentation can include the right to: 

  • Request changes to data 

  • Delete data if it’s no longer needed 

  • Access personal information

Processors have clear guidelines for what they are and aren’t allowed to do, minimizing the risk of regulatory non-compliance. 

Under a DPA, how do organizations report data breaches? 

As per GDPR regulations, organizations have to report data breaches within 72 hours of learning about it. 

You’re responsible for contacting the Data Protection Authority (DPA). When submitting your report, you need to cover multiple details. These include: 

  • The type and nature of the data breach 

  • Approximate numbers of affected individuals 

  • The categories of people impacted by the breach 

  • What you’ve done to minimize the impact 

For breaches classified as serious, like cyberattacks, the timeframe for reporting remains 72 hours. You can follow the DPA’s guidelines for reporting breaches, and it’s also important that you’ve compiled an incident response plan. In your incident response plan, you should cover: 

  • Breach detection procedures 

  • Assessing risks

  • Reporting data breaches 

  • Responding and containing the problem as soon as possible
Pro Tip: 
Data processors should give the information that controllers need to develop breach notifications. 

What happens to data at the end of a Data Processing Agreement (DPA)? 

DPAs can be terminated when the data being handled is no longer necessary. During the termination process, the processor is responsible for deleting all personal data in a secure manner. Alternatively, they can return the information to the controller – based on what the controller says. 

Even at this point, the DPA is still important. This documentation needs to identify the entire deletion/return process so that all parties can follow along. It’s even more important for stopping data from being misused. 

In some cases, the processor might need to prove that they’ve deleted or returned the information. As a result, they should keep records. 

What are the penalties for non-compliance with a DPA? 

The penalties for not complying with GDPR and other regulations via a DPA can be significant, and it’s therefore important to understand and avoid them. If you’re based in the EU/EEA, the GDPR could fine 4% of global annual turnover or €20 million – whichever is higher. 

Although these penalties are large, they do serve as a deterrent for non-compliers. Understanding what you should include in your DPA, along with safely processing data, are both essential. You should know the most common violation types; these normally relate to poor security practices that result in data breaches. 

You should also never process personal data without receiving consent; you can get this via website cookie banners and opt-in confirmations. 

Conclusion

Data Processing Agreements are crucial for companies operating in jurisdictions where data protection is taken seriously. Your documentation should explicitly outline everybody’s roles and responsibilities, and you also need to outline what you’ll do to contain potential breaches. 

You should also use DPAs to build trust with your customers and give them transparency on how you handle their information. Make sure that everyone involved, including your processors and controllers, knows their rights and obligations.

Table of Contents

Other articles that can help

READY TO KICK-START YOUR SMALL BUSINESS JOURNEY?

Important Consideration: The information provided by our expert team is designed to give you a general understanding of the website creation process and the features available to you. It's important to note that this information is not a substitute for professional advice tailored to your specific needs and goals.
Read our editorial standards for Answers content.
Our goal is to empower you to create an amazing website. If you have questions or need guidance during the building process, don’t hesitate to Contact us. We're happy to provide assistance and point you in the right direction.