In a world driven by data, protecting customers’ personal data is not just a legal requirement, it's a business imperative. With the European Union's General Data Protection Regulation (GDPR) imposing strict requirements on how personal data must be handled, organizations are increasingly turning to data processing agreements (DPAs) to ensure compliance and mitigate risk. This is particularly important for companies operating within the European Economic Area (EEA) or handling data of EEA residents.

But what exactly is a DPA? Why do you need one? And how do you create a DPA that meets GDPR requirements? We’ll answer these questions and more in this piece. 

What is a DPA?

A DPA is a legal contract between a data controller (company) and a data processor (service provider). This agreement outlines the terms and conditions under which personal data will be handled, processed, and protected. Mandated by Article 28 of the GDPR, a DPA serves as an important tool for ensuring GDPR compliance and the protection of personal data.

In essence, a DPA ensures that the processor only ‘processes’ the personal data according to the controller's instructions, and that appropriate security measures are in place to protect sensitive data. It also establishes each party's responsibilities and liabilities in relation to the processing, including any transfer of personal data to third countries outside the EEA.

Real-world example: Let's say a hospital (the controller) uses a third-party cloud storage service (the processor) to store and manage patient records. The hospital decides what patient data to collect and how to use it, while the cloud service processes and stores this data as instructed. In this case, both parties must enter into a DPA.

This agreement will specify that the cloud service only processes data as directed by the hospital and implements proper data security measures. The DPA will also outline responsibilities and liabilities, particularly in case of a data breach. Without a DPA, the hospital would violate GDPR regulations, risking hefty fines of up to €20 million or 4% of global annual turnover, whichever is higher. The DPA establishes a legal framework for compliant and secure data handling.

Why a DPA is needed

There are several critical reasons why you need a DPA:

• Legal compliance: Article 28 of the GDPR mandates that controllers and processors enter into a contract (DPA). Failure to do so is a direct violation of the GDPR and other applicable data protection laws, including those of each EU member state.
• Proof of due diligence: A DPA is tangible evidence that you are taking data privacy seriously. It shows that you have put in place contractual measures to ensure the compliant processing of personal data.
• Risk management: A DPA clearly defines each party's responsibilities and liabilities in relation to the processing. This helps manage risk by ensuring each party understands their obligations and the necessary steps for remediation in case of a breach.
• Operational control: For controllers, a DPA is a way to maintain control over how processors handle the personal data entrusted to them. It ensures processors only act on the controller's instructions and for the specified business purpose.
• Trust building: Having GDPR-compliant DPAs in place helps build trust with natural persons, regulators, and business partners. It demonstrates that you take data protection seriously.

Versatile application: While essential for organizations handling EU resident data, a DPA is valuable even for companies not subject to GDPR. It provides a framework for defining data processing terms with third parties, regardless of regulatory requirements, including those in the United Kingdom, Switzerland, and under privacy laws like the California Consumer Privacy Act (CCPA).

Ensure GDPR compliance with Rippling

See Rippling

How to create a DPA

Creating a GDPR-compliant DPA involves several key steps:

Identify your processing activities

The first step is to map out your data processing activities. Identify where you are a controller and where you are a processor. For each processing activity, determine:

• The nature of the processing
• The purpose of the processing
• The types of personal data involved
• The categories of data subjects
• The duration of the processing

Engage your processors

For each processing activity where you are the controller, identify your processors and reach out to them to begin the DPA process. Provide them with details of the processing and your DPA requirements. If you're transferring data outside the EEA, you'll need to identify the data exporter and data importer roles and specify how such transfer will be handled.

Draft the DPA

Draft your DPA, ensuring it includes all the mandatory clauses per Article 28 of the GDPR (see 'what should a DPA include' below). Tailor the DPA to the specific processing activity. Use clear, concise language and define any capitalized terms. Consider whether you need to include standard contractual clauses (SCCs) for international data transfers, as approved by the European Commission.

Negotiate and finalize

Negotiate the terms of the DPA with your processor. Be prepared to discuss liability clauses, security measures, audit rights, and data breach protocols. Once agreed, have the DPA signed by both parties. Remember that the governing law of the agreement should be clearly stated.

Implement and monitor

Ensure the agreed DPA terms are implemented in practice. Regularly monitor your processor's compliance with the DPA, and update the DPA as needed if processing activities change. Be prepared to make amendments to the agreement as regulatory requirements evolve.

What should a DPA include?

Here are the essential components that should be included in a DPA:

• Subject matter, duration, nature, and purpose of processing: Clearly define what data is being processed, for how long, and explain why the data is being processed and how it will be used, often included in a schedule or addendum to the main agreement.

• Types of personal data and categories of data subjects: Specify the categories of personal data involved (such as names, addresses, images, or medical records) and identify whose data is being processed (such as employees, customers, or website users).

• Obligations and rights of the controller: Outline the responsibilities and entitlements of the data controller, including ensuring their own compliance with GDPR obligations.

• Processor's obligations: Detail the processor's duties, emphasizing that they can only act on the written instructions from the controller unless otherwise required by member state law, and must ensure confidentiality obligations are in place for authorized persons processing the data.

• Security measures: Describe the appropriate technical and organizational measures to protect the data as required by Article 32 (security of processing), taking into account factors such as the cost of implementation, nature of processing, and potential risks to individuals' rights and freedoms. This should include measures for access control, authentication, and overall information security.

• Sub-processor arrangements: Explain the conditions for engaging sub-processors, including obtaining the controller's permission, informing the controller of any intended changes, and ensuring that the same data protection obligations are imposed on sub-processors.

• Assistance with data subject rights and controller obligations: Specify how the processor will provide reasonable assistance to the controller in responding to data subject requests and assist with the controller's own GDPR obligations relating to security, breach notifications, and data protection impact assessments. This should include details on how to handle such requests from data subjects.

• Data breach notification procedures: Outline the process for notifying the controller of any personal data breaches without undue delay, potentially including specific time limits and required information to be provided.

• Data deletion or return: Clarify what happens to the data after the service ends, requiring the processor to delete or return all relevant personal data to the controller unless continued storage is required by law. This should include details on data retention policies and how to handle such data.

• Audits and inspections: Explain how the processor will make available to the controller all information necessary to demonstrate compliance with Article 28 obligations and submit to audits and inspections, potentially addressing practical considerations such as on-site vs. off-site audits and notice periods.

Discover proven ways to protect your people and your business

See Rippling

Frequently asked questions

Who signs a DPA? 

A DPA is signed by both the data controller and the data processor.

What is a data controller? 

A data controller is the entity that determines the purposes and means of processing personal data. They decide what data to collect and how it will be used.

What is a data processor? 

A data processor is an entity that processes personal data on behalf of the controller, following the controller's instructions. They handle the data as directed by the controller.

Can I use a template DPA? 

While templates can be a useful starting point, they should always be tailored to your specific processing scenario. You can check out the official GDPR template here.

What if my processor refuses to sign a DPA? 

If a processor refuses to sign a DPA, you cannot use them for processing EU personal data. To do so would be a breach of the GDPR. You must find a processor willing to enter into a GDPR-compliant DPA.

Do I need a DPA if my processor is outside the EU? 

Yes, if they are processing EU personal data on your behalf. The GDPR applies to the processing of EU personal data regardless of where the processor is located.

How often should I review and update my DPA? 

It's good practice to review your DPA at least annually and whenever there are significant changes to your processing activities. Updates should be made as necessary to ensure ongoing GDPR compliance.

What role does the supervisory authority play in DPAs?

The competent supervisory authority oversees the implementation of data protection laws in their jurisdiction. They may provide guidance on DPAs, investigate complaints, and enforce compliance. In some cases, you may need to consult with or notify the supervisory authority about certain data processing activities or transfers.

Secure your most sensitive data

See Rippling