Data Processing Agreement (DPA) explained

What is a Data Processing Agreement (DPA)?

A Data Processing Agreement (DPA) is a legally binding document to be entered into between the controller and the processor in writing or electronic form. It regulates the scope and purpose of processing, as well as the relationship between the controller and the processor. The contract is important so that both parties could understand their responsibilities and liabilities.

Why do businesses need Data Processing Agreements? 

It’s practically not possible to run a business without processing personal data and exchanging it with other businesses. It may be website analytics software, cloud storage, CRM or marketing platform, and whether you are controller, processor, sub-processor or joint controller, you have to construct a lawful Data Processing Arrangement with the party you exchange personal information with. 

GDPR does not have legal restrictions on the form of the Data Processing Agreement, however, if a processor is located outside the EU and international data transfer happens, there are some specific requirements to the format of documentation, such as standard contractual clauses, binding corporate rules., etc. 

Do I need to have a Data Processing Agreement?

If you exchange personal data with other parties, you should have a Data Processing Agreement in place. It’s not only EU GDPR that requires organisations to sign Data Processing Agreements.  By 2023, multiple countries worldwide have adopted similar regulations and require organisations to sign DPAs. The following countries require Data Processing Agreements to be signed: Brazil LGPD, Dubai PDPA, EU GDPR, South Africa POPIA, Thailand PDPA, UK GDPR, US California CCPA/CPRA, US Colorado CPA, US Connecticut DPA, US Virginia CDPA, US Nevada State Privacy law (Las Vegas).

Controller’s role in Data Processing Agreement

The controller is responsible for establishing a lawful data process and observing the rights of data subjects. The controller defines the way how data processing takes place and under what conditions. The controller must have a data processing agreement with its processors. 

Processor’s role in Data Processing Agreement

The data processor should handle the data exclusively in the manner demanded by the controller.  There are following requirements applied to processor and should be reflected in Data Processing Agreement:

- must have adequate information security in place;

- shouldn’t use sub-processors without the knowledge and consent of the controller;

- must cooperate with the authorities in the event of an enquiry;

- must report data breaches to the controller as soon as they become aware of them;

- must give the data controller the opportunity to carry out audits examining their GDPR compliance;

- must help the controller to comply with data subjects’ rights;

- must assist the data controller in managing the consequences of data breaches;

- must delete or return all personal data at the end of the contract at the choice of the controller, and

- must inform the controller if the processing instructions infringe GDPR. 

What should be included in a Data Processing Agreement?

Articles 28 through 36 of GDPR set conditions of data exchange and conditions of personal data between controller and processor. Here are the most important subjects you have to cover in your data processing agreement:

- details about processing;

- the subject matter and duration of the processing;

- the nature and purpose of the processing;

- the type of personal data and categories of data subjects;

- purpose and legal basis of personal data processing;

- the controller’s and processor’s rights and responsibilities.