July 7, 2022

The Ultimate Guide to Data Processing Agreements

Data Processing Agreement (DPA) is the contract between the company that needs personal data to be processed and the company that processes data on behalf of other companies. Read all about DPAs here.

Data Processing Agreement (DPA) is the contract between the company that needs personal data to be processed and the company that processes data on behalf of other companies.

Every time a company processes personal data on behalf of another company, data is necessary to make the processing legal. Without the agreement, the processing itself is a violation of the applicable data protection laws.

Who Needs to Sign a Data Processing Agreement?

A DPA must be signed by the data controller and the data processor. The GDPR, as well as many other data protection laws worldwide, require the controller to provide the processor with written instructions on the processing. These instructions usually come in the form of a DPA.

The data controller needs the DPA because it must provide the processor with such instructions. Without them, the processing violates the laws.

The data processor needs the DPA because it must not process personal data without written instructions.

As a result, in the absence of a written DPA between them, both parties would be accountable for the infractions. 

Which Data Protection Laws Require a Data Processing Agreement?

DPAs have been popularized by the GDPR, but practically every data protection law in the world now requires them in one form or another. Wherever a law requires written instructions for data processing, the controller and processor require a DPA. 

DPAs are required by the following data protection laws:

What Must Data Processing Agreements Include?

Every data protection law specifies the essential components of a DPA. It may have more information and provisions than the minimum, but not less. 

What your DPA must include is determined by the laws that apply to your business. Most of the parts overlap between laws, but you must be sure to include everything required for each individual user whose personal data you will process with the help of the processor. 

If your company processes personal data on behalf of other businesses, incorporating all of the aspects included in various data privacy laws is the safest way to go. You'll then be prepared for any situation. 

The following DPA elements can be found in DPAs:

  • The purpose and categories of data to be processed
  • The duration of processing
  • The categories of data subjects
  • The rights and the duties of the data controller
  • That the data processor will process data only upon the written instruction, i.e. the DPA
  • The security measures for the processing
  • Provisions on the sub-processors, if any
  • That the data processor would help the data controller to comply with the law, if necessary
  • That the data processor will make available to the data controller all information necessary for compliance, including audit and inspection reports.

How Do I Execute a Data Processing Agreement? 

In most circumstances, accepting the Terms and Conditions on the website of the third-party tool you'll use for data processing constitutes signing a contract with them. That deal includes data processing. 

For businesses that operate online, there are two ways you could sign the DPA:

  • As part of the Terms and Conditions (an attachment to it). If the DPA is attached to the T&Cs when the controller signs up for the processing tool they would sign the DPA at the same time and will provide the processor with the necessary written instructions for personal data processing.
  • As a separate contract. The controller and the processor can separate the DPA from the main contract and sign it separately. Essentially, it makes no difference.