Data Processing Agreement: A Basic Guide

A data processing agreement, or DPA, is a legal contract that sets out data handling responsibilities between a data controller and a data processor. They regulate the use of consumer data by companies, specifically how it is processed. In essence, the data processor promises to utilize personally identifiable data (PII) according to the terms laid out in the data processing agreement.

If your website collects data from people living in locations with these rules, then your website processing agreements and data processing methods must be compliant with them.

Common types of company websites that should have data processing agreements include:

• Online retailers
• Internet marketers
• Affiliates
• Online service providers
• Professional services firms
• B2B companies
• Financial institutions
• Technology firms
• Medical providers

If you run a large company, you will need to hire a data protection officer (DPO) to oversee and enforce your data privacy policies and data processing agreements. The internet is rife with the opportunity to expose your customer’s data, which can land your company in legal trouble with local authorities.

Avoid making this mistake by writing a personalized data processing agreement for your company while having the appropriate safeguards in place to monitor compliance.

Here is an article about data protection officers (DPO).

Steps in Writing a Data Processing Agreement

It’s essential that you write a data processing agreement that serves its intended purposes. However, the terms and conditions you write must also remain compliant with local, state, federal, country, and industry requirements depending upon your business. Use a methodical approach to ensure that you obtain the desired result.

Follow these steps when writing a data processing agreement:

1. Determine what customer data is essential.
2. Decide upon how long you need to store/process the data.
3. Write down how you plan to use the data in your own words.
4. Finalize this information with key company stakeholders.
5. Schedule an initial intake with a privacy lawyer.
6. Work with the lawyer you hired to finalize the policy.

The most practical business approach for writing a data processing agreement is by speak with technology lawyers. They have the legal experience and digital knowledge you want when drafting your data processing agreements. Your attorney can also help you draft other data processing agreement documents, including a privacy policy, terms of use agreement, terms of service (ToS) agreement, and acceptable use policy.

Advantages of Engaging a Lawyer for Data Processing Agreements

The following are the advantages of hiring a counsel for drafting a data processing agreement:

• Ensures Legal Compliance: Lawyers are knowledgeable about the rules and legislation governing data protection. They may assist in making sure the DPA complies with all relevant data protection regulations, lowering the chance of facing legal repercussions, financial penalties, and regulatory measures.
• Allows Customized Agreements: Attorneys can alter DPAs to meet the unique business needs and the specifics of the associated data processing operations. This guarantees that the agreement considers the particular needs and risk considerations.
• Mitigates Risk: Lawyers can assist in building the agreement to effectively reduce the risks by identifying potential liabilities and risks related to data processing agreements. This might shield the company from disciplinary actions and financial fines.
• Offers Data Security: One can set definite data security and protection procedures inside the DPA with the aid of attorneys. This includes describing the organizational and technical measures required to protect personal data.
• Manages Data Breach Response: In the sad event of a data breach, attorneys can offer advice on how to proceed, including alerting the necessary parties and the impacted parties and managing legal obligations.
• Stays Updated: Laws and rules governing data protection may change. Lawyers can assist an individual in keeping up with revisions and modifications that may have an impact on the DPA, ensuring continuing compliance.
• Assists with Legal Documentation: To avoid ambiguity and potential conflicts, lawyers can create precise, legally binding agreements that expressly describe the obligations of both parties involved in the data processing process.

Meet some lawyers on our platform

Allen L.

94 projects on CC

CC verified

View Profile

Dolan W.

1003 projects on CC

CC verified

View Profile

Paul M.

23 projects on CC

CC verified

View Profile

Darshun K.

1 project on CC

CC verified

View Profile

Key Terms in a Data Processing Agreement

Data processing agreements, like all contracts, contain key terms and provisions that help both parties understand their rights and responsibilities. In the case of a data processing agreement, the consumer, or the data control, must agree to the company’s or data processor’s terms to use their website or application.

The key terms in a data processing agreement include:

• Subject matter
• Duration
• Purpose
• Data used
• Data categorizations
• Rights and obligations
• Rights if a data breach occurs

These rights and obligations may vary according to state, industry, country, and company type. When there are numerous variables involved with a contract, it is essential that you consult with privacy lawyers to help ensure that they are objective-oriented, compliant, and enforceable. Otherwise, you could leave yourself exposed to fiduciary liabilities in the future.

Why You Need a Data Processing Agreement

Your company needs a data processing agreement to remain compliant with a jurisdiction’s relevant laws. If you do not have these agreements in place and utilize consumer data, you could face significant penalties. While legislation is forthcoming slowly, a few noticeable places are enacting strict measurements.

DPAs and the GDPR

The General Data Protection Regulation (GDPR) summaries how companies must process, store, and use customer data. These regulations are contained within Article 28 of the GDPR text enacted by the European Union (EU).

Counties in the EU include:

• Austria
• Belgium
• Bulgaria
• Croatia
• Republic of Cyprus
• Czech Republic
• Denmark
• Estonia
• Finland
• France
• Germany
• Greece
• Hungary
• Ireland
• Italy
• Latvia
• Lithuania
• Luxembourg
• Malta
• Netherlands
• Poland
• Portugal
• Romania
• Slovakia
• Slovenia
• Spain
• Sweden

Regardless of where your target audience resides in the EU, DPAs are an essential website component across many business types and industries. Data controllers also have specific legal protections.

Ensure that your data processing agreement addresses the following rights:

• Right to opt-out
• Right to be informed
• Right to disclosure
• Right to deletion
• Right to equal services and prices

Lawmakers have authorized the Data Protect Authorities to impose fines of up to €20 million or 4 percent of global turnover annually, whichever of the two is greater, for GDPR violations. Work with a team of legal and technological professionals to help you create an agreement and process that helps you accomplish your company objectives while remaining compliant within the EU.

DPAs and the CCPA

On the other hand, the California Consumer Privacy Act (CCPA) is the state’s ePrivacy directive that outlines how companies can use consumer data, including tracking browsers and data encryption requirements. These rules apply to first and third-party services providers and retailers.

Benefits of a Data Processing Agreement

The following are the benefits of the data processing agreement:

• Ensures Legal Compliance: DPAs aid in observing data protection laws and regulations, such as the GDPR, by data controllers and data processors. It spells out each party's obligations and responsibilities, ensuring that data processing operations comply with the law.
• Maintains Clarity and Accountability: DPAs offer precise instructions on handling, managing, and protecting personal data. Accountability is easier to create since everyone is clear about their responsibilities in the data processing relationship.
• Mitigates Risk: Organisations can reduce the risk of data breaches, unauthorized access, or incorrect handling of personal data by establishing the terms of data processing and data protection measures in a DPA. It aids in establishing security norms and procedures.
• Includes Data Subject Rights: DPAs frequently contain clauses that guarantee the observance of data subject rights. The right to access, update, or delete personal data is part of this. These guidelines aid organizations in granting requests from data subjects.
• Guarantees Data Security: DPAs often contain provisions requiring data processors to place suitable security measures to safeguard personal data.
• Contains Provisions of Cross-border Data Transfers: DPAs may contain provisions addressing the transmission of personal data outside of the European Economic Area (EEA) or other locations with particular data transfer limits.
• Resolves Dispute: DPAs frequently specify dispute resolution procedures for conflicts or agreement violations. By doing this, problems may be resolved without requiring expensive legal action.
• Outlines Termination and Transition Clauses: DPAs outline the steps for ending the contract and transferring the responsibility for data processing, ensuring a smooth transition during a breakup.
• Promotes Trust: DPAs can promote trust between data controllers and processors. A commitment to data security and ethical data management is demonstrated by having a written agreement, which can improve business partnerships.

Data Processing Agreements and Small Businesses

Small business owners stretch their budgets and may wonder if having data processing agreements are really necessary. They are generally not exempt from meeting data processing agreement requirements. However, some geographical regions may have more lax regulations in your area.

Other Reasons to Not Use Data Processing Agreements

You also do not need to have a data processing agreement if your target market is not located in a place with such requirements. Always speak with internet lawyers in your state to determine if your small business needs to utilize data processing agreements.

Why You Should Get Started Early

We will likely see continued legislation crop up throughout the United States and the world. It may not be a bad idea to get a jump on the practice now while observing good data processing ethics. Your early adopter and tech-savvy customers are sure to take note of your above-and-beyond efforts.

Data Processing Agreements vs. Privacy Policy

There are significant differences between data processing agreements vs. a privacy policy. Data processing agreements outline how you process the customer’s data to prevent technological insecurities, while the privacy policy lets customers know what you do with their data in general.

Example of Data Processing Agreements vs. Privacy Policy

For example, in a data processing agreement, you may disclose that a third party, such as Google, will process your data when collecting email addresses for newsletters. You do not necessarily need to disclose this specific information in your privacy policy.

Data Processing Agreement Sample

DATA PROCESSING AGREEMENT

THIS DATA PROCESSING AGREEMENT (“Data Processing Agreement”) is made and entered into on 23 July 2020 (“Effective Date”) by and between:

1. [PARTY 1], a company organized and existing under the laws of [STATE] and having its registered office at [ADDRESS].

2. [PARTY 2], a company organized and existing under the laws of [STATE] and having its registered office at [ADDRESS].

Each of the above parties are individually referred to as “Party” and jointly as “Parties”.

RECITALS

1. WHEREAS, Controller and Processor entered into a service agreement as of [DATE] (“Agreement”) pursuant to which Processor agreed to provide certain services to Controller as specified in the Agreement, including any statements of work, and Privacy Annex (Annex 1) to this Data Processing Agreement (“Services”);
2. WHEREAS, Controller engages Processor to on behalf of Controller process Personal Data defined in the Privacy Annex (Annex 1) and any other personal data processed by Processor on behalf of Controller pursuant to the Agreement (“Personal Data”);
3. WHEREAS, this Data Processing Agreement includes the terms and conditions governing the processing of Personal Data by Processor on behalf of Controller with the aim to ensure the Parties comply with Applicable Laws as defined below.

NOW, THEREFORE, the Parties agree as follows:

1. DEFINITIONS AND INTERPRETATION

1.1. For the purposes of this Data Processing Agreement, the following terms shall have the following definitions and interpretation:

“Applicable Laws” means any EU, EU Member State, national, regional and local laws, rules, regulations, declarations, requirements, guidelines approved by supervisory or other competent bodies and polices that apply to or govern the processing of Personal Data as set out in the Privacy Annex (Annex 1), including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and relevant national laws, as amended from time to time.

“EEA” means European Economic Area.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

“Subprocessor” means any data processor (including any third party and any Processor Affiliate) engaged by Processor to process personal data on behalf of Controller.

“Supervisory Authority” means (a) an independent public authority which is established by a Member State pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Applicable Laws.

1.2 Other terms like “process/processing”, “data subject”, “(data) processor”, “(data) controller”, “data protection impact assessment”, etc. shall have the meaning ascribed to them in the Applicable Laws with regard to the Personal Data.

2. PROCESSING OF PERSONAL DATA

2.1. Processor shall provide the Services and shall process the Personal Data within the context of the Agreement on behalf of Controller and for the specific purposes as set out in the Privacy Annex (Annex 1) to this Data Processing Agreement.

2.2. Processor represents and warrants that it shall not process, transfer, modify, amend or alter the Personal Data or disclose or permit the disclosure of the Personal Data to any third party other than in accordance with the Controller’s documented instructions (in the Principal Agreement or otherwise), unless processing is required by EU or Member State law to which Processor is subject, in which case Processor shall to the extent permitted by such law inform Controller of that legal requirement before processing that Personal Data. Processor shall not process Personal Data for own purposes, except where it is regarded as data controller for the processing of Personal Data.

2.3. Controller represents and warrants that it is fully authorized and entitled to provide the Personal Data to Processor for processing and let Processor process the Personal Data for the purposes of the Agreement and for the specific purposes as set out in the Privacy Annex (Annex 1) and in execution of the Services.

3. DATA SUBJECT RIGHTS

3.1. Processor shall promptly, and in any case within five (5) working days, notify Controller if it receives a request from a data subject under any Applicable Laws in respect of Personal Data, including requests by a data subject to exercise rights in Chapter III of GDPR, and shall provide full details of that request.

3.2. Processor shall provide all reasonable assistance to Controller to enable Controller to comply with any exercise of rights by a data subject under any Applicable Laws in respect of Personal Data and comply with any assessment, enquiry, notice or investigation under Applicable Laws in respect of Personal Data or this Data Processing Agreement.

4. SECURITY OF PERSONAL DATA

4.1. Without prejudice to any other security requirements agreed upon between the Parties, Processor shall protect the processing of Personal Data and ensure a level of security of the Personal Data appropriate to the risk in accordance with Article 32 GDPR, among others by taking appropriate technical and organisational measures, that in view of the current state of the art and the related costs are in line with the nature of the Personal Data to be processed, the scope, context and purposes of the processing of the Personal Data, as well as the risk varying according to likelihood and severity for the rights and freedoms of data subjects. These measures encompass, where appropriate:

4.1.1. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

4.1.2. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

4.1.3. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.

4.2. The Parties acknowledge that security requirements are constantly changing, and that effective security requires frequent evaluation and regular improvements of outdated security measures. Processor shall therefore continuously evaluate the technical and organisational measures as described herein and shall tighten, supplement and improve these security measures to maintain compliance with Applicable Laws.

5. PERSONAL DATA BREACHES

5.1. Processor shall notify Controller without unreasonable delay upon becoming aware of a Personal Data Breach in connection with the processing of Personal Data and shall provide Controller with information to allow Controller to meet any obligations to report a Personal Data Breach under the Applicable Laws. Such notification shall as a minimum:

5.1.1. describe the nature of the Personal Data Breach, the data subjects concerned, and the Personal Data records concerned;

5.1.2. communicate the name and contact details of Processor’s data protection officer or other relevant contact form whom more information may be obtained;

5.1.3. describe the likely consequences of the Personal Data Breach; and

5.1.4. describe the measures taken or proposed to address the Personal Data Breach.

5.2. Processor shall provide all reasonable assistance and shall take all reasonably steps to assist in the investigation, mitigation and remediation of each Personal Data Breach to enable Controller to (i) perform a thorough investigation into the Personal Data Breach, (ii) formulate a correct response; and (iii) to take further steps in respect of the Personal Data Breach in order to meet any requirements under the Applicable Laws.

6. SUBPROCESSORS

6.1. From the Effective Date of this Data Processing Agreement, Processor may use the Subprocessors set out in the Privacy Annex (Annex 1). Processor may use additional Subprocessors to process Personal Data only with the prior written approval of Controller, which approval shall not be unreasonably withheld.

7. INTERNATIONAL TRANSFERS

7.1. If and insofar the Personal Data is processed outside of the EEA, the Parties shall only process the Personal Data when there is an adequate level of protection in place.

8. CONFIDENTIALITY

8.1. In accordance with the confidentiality provisions of the Agreement, Processor shall keep Personal Data confidential. For the avoidance of doubt, all Personal Data shall be considered as Confidential Information in the Agreement.

9. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

9.1. Processor shall provide reasonable assistance to Controller with any data protection impact assessments which are required under Article 35 GDPR and with any prior consultations to any Supervisory Authority of Controller or any of its affiliates which are required under Article 36 GDPR, in each case in relation to processing of Personal Data by Processor on behalf of Controller and taking into account the nature of the processing and information available to Processor.

10. PROVISION OF INFORMATION AND AUDITS

10.1. Processor shall make available to Controller on request any relevant information that is reasonably necessary to demonstrate compliance with this Data Processing Agreement.

10.2. Processor shall allow for and reasonably contribute to audits of the processing of Personal Data and the premises where such processing takes place. Processor shall provide all reasonable cooperation to Controller in respect of any such audit and shall at the request of Controller, provide Controller with evidence of compliance with its obligations under this Data Processing Agreement. Processor shall immediately inform Controller if, in its opinion, an instruction pursuant to this Clause 10 infringes any Applicable Laws.

11. INDEMNITY AND LIABILITY

11.1. Notwithstanding any provisions of the Agreement or this Data Processing Agreement to the contrary, each Party shall indemnify, defend and hold harmless the other Party from any claims (including third party claims), suits, demands, judgements, actions, liabilities, expenses (including reasonable attorney’s fees) and damages of any kind relating to its breach of this Data Processing Agreement, and/or its negligence or wilful misconduct.

11.2. Notwithstanding any provisions of the Agreement or this Data Processing Agreement to the contrary, the limitation of liability set forth in the Agreement shall also apply to this Data Processing Agreement.

12. DURATION AND TERMINATION

12.1. This Data Processing Agreement shall remain in full force and effect for the duration that Processor processes Personal Data on behalf of Controller under the Agreement.

12.2. Any obligation imposed on either Party under this Data Processing Agreement, or any provision that by their nature is intended to survive this Data Processing Agreement shall survive any termination or expiration of this Data Processing Agreement.

13. STORAGE, RETURN AND DESTRUCTION

13.1. Processor shall store the Personal Data no longer than strictly necessary (i) for the provision of Services; (ii) if a storage period is agreed between the Parties, no longer than this storage period; or (iii) to comply with statutory obligations.

13.2. Processor shall promptly, of the earlier of: (i) no longer processing of Personal Data; or (ii) termination of the Agreement, at the choice of Controller either: (a) return a complete copy of all Personal Data to Controller and securely wipe all other copies of Personal Data processed by Processor or any Subprocessor; or (b) securely wipe all copies of Personal Data processed by Processor or any Subprocessor; and in each case provide written confirmation to Controller that it has complied with this Clause 13, except insofar Processor is required by Applicable Laws to retain such Personal Data.

14. MISCELLANEOUS

14.1. Modifications or amendments of this Data Processing Agreement shall only be effective if made in writing and signed by an authorized representative of both Parties.

14.2. If any provision of this Data Processing Agreement is invalid or unenforceable, then the remainder shall remain valid and in force.

14.3. In the event of inconsistencies between the provisions of this Data Processing Agreement and the Agreement and/or any Scope of Work, the provisions of this Data Processing Agreement shall prevail with regard to the Parties’ data protection obligations.

14.4. This Data Processing Agreement shall be governed by and in accordance with the laws of the [COUNTRY], without giving effect to any choice of law principles that would require the application of the laws of a different jurisdiction. Any disputes arising out or in connection with this Data Processing Agreement shall be brought exclusively before the competent court of [LOCATION].

IN WITNESS WHEREOF, the Parties hereto have executed this Data Processing Agreement as of the Effective Date by their duly authorized signatories.

By: ________________________

By: ________________________

Final Thoughts on Data Processing Agreements

Data processing agreements, in general, are an essential component of data protection policies, preserving peoples' rights and privacy while ensuring safe and legal data processing. Businesses prioritizing and upholding those agreements can be better positioned to forge close bonds with their customers, abide by facts and safety rules, and decrease any criminal or reputational issues related to records processing activities. As data-driven technologies develop, DPAs will remain important in preserving the fragile equilibrium between innovation and data protection.

If you are looking to get free pricing proposals from vetted lawyers that are 60% less than typical law firms, you can click here to get started. By comparing multiple proposals for free, you can save time and stress of finding a quality lawyer for your business needs.