What is a Data Processing Agreement (DPA)?

Privacy Compliance
December 2, 2021
DPAs, or Data Processing Agreements, are a key part of the GDPR requirements for compliance, plus they are crucial for establishing liability for all parties involved in processing personally identifiable information (PII) under this law. Unfortunately, they can also be confusing but don't fear! Our team is clearing that all up and answering all your DPA questions down below.

What is a Data Processing Agreement?

Almost every organization relies on third parties to process personal data, which necessitates the creation of data processing agreements (DPA). Even necessary business tools, such as email, sales management systems, and cloud storage, process data on behalf of organizations. Applying the General Data Protection Regulation (GDPR) and other privacy laws imposes strict requirements and guidelines between data controllers and data processors through these signed DPAs.

In this article, the Accountable team helps you understand everything your business needs to know about data processing agreements.

Who Is a Data Controller?

The data controller bears the most significant responsibility for safeguarding the privacy and rights of the end-user. They’re in charge of the data’s processing procedures and intended use. Data controllers also determine how and for what purpose the organization will use the information it receives.

A data controller may use an internal system to process collected data. However, they will need to collaborate with a third party or an external service provider to gain meaningful insight in some situations. The data controller maintains control through contractual specifications.

Who Is a Data Processor?

A data processor is the one who processes the data supplied by the data controller. The third-party data processor does not own or control the data they process. They cannot alter the purpose of using it and must follow the data controller’s instructions explicitly.

What Is a Data Processing Agreement?

A data processing agreement, also known as a DPA, is a legally binding agreement between a data controller and a data processor. These agreements regulate how businesses use and process consumer data. The data processor agrees to process personally identifiable information (PII) consistent with the data processing agreement’s terms.

The following are examples of common business types that use data processing agreements:

  • Affiliates
  • B2B companies
  • Financial institutions
  • Internet marketers
  • Medical care providers
  • Online retailers
  • Online service providers
  • Professional services firms
  • Technology firms

You must hire a data protection officer (DPO) to monitor and enforce your data privacy policies and agreements if you run a large corporation. The internet is rife with opportunities to expose PII but this situation can be prevented by creating customized data processing agreements.

When Is a Data Processing Agreement Required?

You must have a written contract in place any time a data processor processes data on your behalf. Consequently, you’ll also need a DPA if you use customer relationship management (CRM) platforms, customer data platforms (CDPs), analytics, or other analysis tools. The DPA is critical to ensuring that both parties understand their respective roles in handling users’ data and the responsibilities that come with them.

It also ensures that each participant in the process understands the chain of responsibility. Numerous other data privacy regulations worldwide require this type of document to be signed. 

Beyond just the need to set roles and liabilities, DPAs are important because they assist each party in demonstrating compliance in the event of a data protection authority audit.

What Processors Should Include in a Data Processing Agreement

In general, a DPA should outline the scope and purpose of data processing, the types of data processed, the safeguards in place, and the specifics of the controller-processor relationship. 

If you are a customer of ours, we have a DPA template that is ready for you to use and customize within the app to simplify this whole process. But if you are not a customer with us (first, you should schedule a call with us… but until then), here is what a DPA must entail.  

Contracts for the processing of GDPR data must be highly detailed and include:

  • Recitals and Overview: This section describes the data processing activities, data use purposes, the party responsible for ensuring GDPR compliance, and the duration of the processing. Additionally, it covers definitions, the types of data to be processed, how and where data is stored, and contract termination terms.
  • Controller’s Responsibilities: When it comes to GDPR compliance, the controller is responsible for establishing a legal process and upholding end-users rights. Additionally, the controller is in charge of issuing processing commands and dictating how the processor handles data.
  • Processor’s Responsibilities: These responsibilities include maintaining information security, cooperating with authorities in the event of an investigation, reporting data breaches, allowing for audits, record keeping, and the deletion or return of data after the contract, among others.
  • Technology Requirements: The GDPR requires controllers and processors to consider how state-of-the-art technology, implementation costs, and differences in individual rights affect their ability to ensure ongoing data security.
  • Subprocessor Use: The processor must obtain written consent from the controller when relying on subprocessors. Subprocessors must ensure data protection and undergo regular compliance verification. In some cases, you may need to draft additional contracts for subprocessors, especially for complicated relationships.

When it comes to signing a data processing agreement, there are a few points to keep in mind, including the following:

Are There Enough Guarantees?

A controller may be held liable for a data breach that occurred on the processor’s side. As a result, both parties’ best interests ensure that the processor has sufficient bandwidth to provide adequate protection for all data transferred to them from the controller; The fewer risks there are, the better. However, if a breach occurs, the data processor should be able to mitigate its impact immediately.

How the Processor Will Use the Data?

The data controller must ensure that the processor’s DPA does not exceed the legal basis for initial data processing. In other words, the processor should be limited to the purposes specified in the contract. It is the controller’s responsibility to understand and interpret the processor’s intended use of data transferred.

Is There Any Room for Interpretation?

There shouldn’t be room for contractual interpretation in any of your DPAs. The language you use in your agreements should be transparent, direct, and well thought out, and take the necessary time to detail what should occur explicitly.

What Does It Mean to Sign a DPA as a Controller?

When an organization hires or partners with a third-party data processor, it is likely that the processor will require the organization to sign a DPA. This requirement is perfectly normal and necessary if the organization works with personal data belonging to EU residents.

When presented with a DPA, ensure that it clearly states how the processor may use the data. Examine the elements of a DPA listed above and ensure they are sufficiently detailed to avoid room for interpretation.

Be aware that the controller may be liable for a data breach even if a processor error caused it. Ascertain that the processor has the necessary resources for data protection and responding quickly to any issues.

What Does It Mean to Create a DPA as a Processor?

If you provide data processing services, particularly to customers who work with data from EU residents, you should familiarize yourself with the process of creating and managing DPAs. A good starting point is to examine the DPAs currently in use by enterprise processors. However, data processing agreements are lengthy, and simply reading a few to inform your contract creation can take a significant amount of time.

Additionally, some of your customers may require customized DPAs to meet their data usage requirements. Managing numerous DPAs can become a drain on the productivity of your legal team. Given the critical nature of managing contracts involving consumer data accurately, it is important to have a great system of document management so that you stay on top of each and every detail. 

Luckily for you, Accountable has a great, easy-to-use policy management section within our app that allows you to easily review, edit, and send policies, including DPAs off to those who need to sign off on them. 

Related Data Processing Agreement FAQs

Here are a few related frequently asked questions to help solidify your understanding of data processing agreements:

What is the General Data Protection Regulation?

The GDPR started in 2018 as a new data privacy law designed to ensure higher data security worldwide. Although the European Union (EU) drafted the GDPR, every organization and business on the planet must ensure GDPR compliance if their work involves any EU customer data processing.

What Is Data Processing?

Data processing is the collection, storage, or recording of data, its organization, monetization, use, or deletion, as well as any other activity involving the handling of another person’s personal data.

Can Customers Delete Their Data?

Data deletion is a data processing activity by definition. The GDPR addresses and covers this request as well. Unlawful destruction of customer data may also result in a fine.

What Data Types Does a DPA Protect?

The DPA applies to personally identifiable information (PII). You are subject to the DPA if any one piece of data could be used to connect someone’s identity.

What Happens After a Data Breach?

The data processor and controller must always work together to ensure the highest level of security over consumer PII. However, if a breach occurs, the data processor is required to notify the data controller immediately and cannot withhold such information under any circumstances. They must also assist the data controller, if possible, with data protection impact assessments.

Are There Fines for GDPR Violations?

GDPR fines for non-compliance are stringent and may cost businesses up to €20 million or 4 percent of their global revenue. If a company violates the GDPR, its legal issues do not end with fines. Among the data subject’s rights is seeking redress from the organization that abused their PII. Although, as a customer of ours who has enrolled in The Accountable Compliance Protection, you will be covered up to $100k for any costs in event of a breach or audit. 

Final Thoughts

Data Processing Agreements are highly critical documents between data processors and controllers. It is extremely important to ensure that you review your contracts carefully and have covered all the needed bases before it is signed by both parties. If you have any questions about how Accountable can help you reach compliance and take the stress out of DPA creation and completion, reach out to us today!

Get Started
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Ready to chat?

See how some of the fastest growing companies use Accountable to build trust through privacy and compliance.
Trusted by