Organizations often rely on third-party service providers to process data on their behalf for a variety of purposes, such for managing customer relationships, handling payroll, conducting marketing campaigns, or analyzing website performance, to name just a few. While outsourcing these functions can help organizations work more smoothly, it also introduces risks associated with data privacy and security, such as data breaches or unauthorized access.
A data processing agreement (DPA) helps mitigate these risks by outlining clear responsibilities for both parties, the entity that collects data and the third-party service provider that processes it on their behalf. It enables personal data to be handled securely and helps organizations maintain compliance with global data privacy laws like the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA).
We look at what a data processing agreement is, when it’s required, and what must be included to achieve regulatory compliance.
What is a DPA?
A data processing agreement (DPA) is a legal contract between two key parties involved in the handling of personal data or personal information: the data controller and the data processor. It outlines the responsibilities of both parties and establishes clear guidelines for how data will be processed.
The data controller (or controller) is the entity, such as a business or other organization, that determines the purpose and means of processing personal data. It is responsible for ensuring that data processing complies with applicable laws.
The data processor (or processor) is a third-party entity that processes personal data on behalf of the controller and under the controller’s instructions.
A data processing agreement is also known as a data privacy agreement, data protection agreement, or data privacy addendum. Some laws simply refer to it as a contract between the controller and processor.
The term “processing” refers to any operation or set of operations performed on personal data, whether manual or automated. The GDPR definition of the term includes “collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” as operations that constitute processing.
What is the purpose of a data processing agreement?
A data processing agreement (DPA) plays a central role in ensuring that personal data is handled properly when shared between a data controller and a data processor. Its purpose is to create a clear framework that protects personal data and aligns both parties with the requirements of data protection laws.
Assists in meeting legal requirements
A DPA serves as a legally binding document that sets out the obligations of both the controller and the processor under applicable data protection laws. Some of the regulations that mandate a DPA include:
- European Union General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA)
- United Kingdom General Data Protection Regulation (UK-GDPR)
- South Africa Protection of Personal Information Act (POPIA)
- Thailand Personal Data Protection Act
- India Digital Personal Data Protection Act (DPDP Act)
- China Personal Information Protection Law
- Virginia Consumer Data Protection Act (VCDPA)
- Colorado Privacy Act (CPA)
Since many of these laws have extraterritorial reach, even companies operating outside these regions may need to comply when handling personal data of people from within those jurisdictions. By having a DPA in place, businesses reduce the risk of legal penalties associated with noncompliance.
Clarifies responsibilities of the parties
The DPA clearly defines the roles and responsibilities of the data controller and processor. It specifies how personal data will be processed, stored, and protected, helping to ensure the processor acts solely on the controller’s instructions. This clarity helps prevent misunderstandings and helps ensure that both parties adhere to their obligations regarding data handling.
Helps protect data subjects
A DPA details the technical and organizational measures that both parties must follow, including specific security measures the data processor must implement. These can include encryption, access controls, and regular security audits, all designed to safeguard personal data from unauthorized access or breaches.
Establishes protocols
A DPA establishes clear procedures for handling personal data, including the engagement and use of sub-processors. It outlines specific provisions for data security, breach notification procedures, and the responsibilities of each party in the event of a data incident. This structured approach helps both parties know exactly what steps to take if a security issue arises, reducing the risk of delays or confusion during critical moments.
Facilitates international data transfers
When personal data crosses borders, the agreement outlines the safeguards required to ensure that the data receives the same level of protection it would under domestic laws. This might include the use of standard contractual clauses (SCCs) when transferring data to countries that don’t have robust privacy laws.
When is a data processing agreement required?
A data processing agreement is required whenever an entity that is acting as a controller and needs a DPA shares personal data with a third-party service provider for data processing purposes. The DPA must be signed prior to any data processing taking place.
Small businesses, sole proprietors, nonprofits, government organizations, and others must enter into DPAs if the following conditions apply:
- they are required to comply under a regulation that mandates a DPA, based on the location of the data subject and specific compliance thresholds related to the type of entity, annual revenue, or other relevant criteria
- they are considered a data controller, meaning they are responsible for determining the purpose and means of processing
- they share data with third-party processors for processing purposes
If you collect or process data from an individual in the EU/EEA, you must comply. For US states’ privacy laws, check the compliance thresholds to determine if you must comply.
Entities that are considered data processors under the law and process personal data on behalf of and on the instructions of controllers must enter into a DPA with the controller.
Here are some examples of situations when a data processing agreement would be required:
- if your organization hires an external IT support firm to manage your systems, and they have access to employee or customer personal data, you need a DPA to ensure they handle the data securely and comply with privacy laws
- when you use a payment gateway like Stripe or PayPal to handle online transactions, a DPA is required because the payment processor accesses personal data like names, addresses, and payment information
- if you use a platform like HubSpot or Mailchimp to manage your email campaigns, newsletters, or marketing communications, you need a DPA as these platforms process personal data such as email addresses and interaction history on your behalf
- if you host your website with a service provider like Amazon Web Services (AWS) or GoDaddy, and personal data from your website, for example through user accounts or contact forms, is stored on their servers, you must have a DPA to regulate the processing and protection of that data
- when you hire a recruitment agency to manage job applications and collect candidates’ resumes or contact details on your behalf, a DPA is required to ensure the secure handling of the personal data involved in the recruitment process
- if you work with a logistics provider to handle your product deliveries, and they have access to customer data like addresses or order history, you need a DPA to protect that personal information
Cookies and data processing agreements
Tracking cookies often collect personal data like IP addresses and browsing behavior, which qualifies as personal data under many global data protection regulations. When businesses use cookies to gather this data, they often rely on third-party service providers, such as analytics or marketing platforms. This makes it necessary for businesses to enter into DPAs with these third parties to ensure that the processing of cookie data complies with applicable data privacy laws.
Under the GDPR, cookies that collect personal data require explicit consent from users, with the exception of strictly necessary cookies. If a business uses a third-party data processor to process data from cookies, the DPA should outline how that processor will handle personal data collected through cookies, including security measures and compliance with users’ right to revoke or withdraw consent. Websites that collect personal data in this manner should use a consent management platform (CMP) to obtain cookie consent.
The CCPA/CPRA doesn’t require explicit consumer consent to collect personal information through cookies in many cases, with some exceptions, such as sensitive information and minors’ personal information. However, consumers have the right to opt out of the sale or sharing of their personal information, and to limit the use or disclosure of sensitive information. If a business uses cookies to collect data that could be sold or shared, the DPA should include clauses that ensure the third party complies with the opt-out rights of consumers and provides transparency about data usage.
Do you have DPAs with all your data processors?
Scan your website to know which third-party cookies you use so you can check if you have DPAs in place with these entities.
What needs to be included in a data protection agreement?
The specific contractual obligations in a DPA can be different depending on the data privacy law in question. Art. 28 GDPR and the CCPA/CPRA specify particular requirements that must be included in a DPA. Some regulations simply state that a contract is necessary, without detailing the DPA requirements.
Regardless of the specific law, a well structured DPA should generally include the following elements:
- purpose and scope of processing
- types and categories of personal data to be processed
- how long the data will be retained for
- obligations of the controller and processor
- technical and organizational measures to be implemented for data security
- provisions regarding engagement and use of sub-processors
- provisions regarding data return or deletion
- how the processor will assist the controller in fulfilling its obligations related to data subjects’ rights
- procedures for data breach notifications, including timelines and responsibilities
What are the GDPR DPA requirements?
Art. 28 GDPR requires controllers to enter into agreements with processors to ensure that personal data is processed securely and in compliance with the law. These agreements must include the following key provisions:
- processors can only process personal data based on the documented instructions of the controller, including restrictions on transferring data outside the EU unless explicitly instructed
- processors must ensure that anyone authorized to process the personal data is bound by confidentiality obligations
- DPA must detail the technical and organizational measures that the processor will take to protect the personal data under Art. 32 GDPR, including encryption and data access controls
- processors cannot engage another processor (sub-processor) without the controller’s written authorization
- if appointed, a sub-processor must be bound by the same data protection obligations as the processor
- processors must assist the controller in fulfilling obligations related to data subject rights, such as access, rectification, and erasure requests
- at the end of the contract, processors must either delete or return all personal data to the controller, unless retention is required by law
- processors must permit the controller to audit and inspect the processing activities to ensure compliance with the GDPR
- processors must assist the controller in fulfilling its obligations under the GDPR, particularly Art. 32 to 36, which include data security, data breach and notifications of breach, data protection impact assessments, and prior consultation
Some entities are required to appoint a Data Protection Officer (DPO) under the GDPR. One of the DPO’s key tasks is to monitor compliance with the GDPR, which includes ensuring that controllers have the necessary DPAs in place when sharing personal data with processors.
What are the CCPA/CPRA DPA requirements?
Under Section 1798.100(d) of the CCPA, as amended by the CPRA, businesses (the regulation’s term for controllers) must have contracts with third parties, service providers, and contractors when sharing consumers’ personal information. These contracts are equivalent to DPAs and must include the following:
- that personal information shared between the business and the third party, service provider, or contractor can only be used for the purposes outlined in the agreement
- the third party, service provider, or contractor must be obligated to comply with applicable obligations under the regulation, including providing the same level of privacy protection as businesses are required to provide
- businesses have the right to ensure that the third party, service provider, or contractor handles the personal information in line with the business’s obligations under the regulation
- if the third party, service provider, or contractor realizes they can’t meet their data protection obligations anymore, they must inform the business
- businesses can take steps to stop and correct any unauthorized user of personal information if they are notified of a problem
Does your website collect personal data from individuals in the EU/EEA and California? Learn about all your compliance obligations under the GDPR and CCPA/CPRA.
What are the fines for not having a data privacy agreement?
Not entering into a DPA when legally required can lead to significant consequences, including violations of data protection laws that may trigger hefty fines and result in reputation damage.
Under the GDPR, the penalties for noncompliance can be severe. The regulation establishes two tiers of fines based on the nature and severity of the infringement:
- for less severe infringements, organizations can face fines of up to EUR 10 million or 2 percent of the company’s total global annual revenue from the preceding financial year, whichever is higher
- for more serious violations, fines can reach up to EUR 20 million or 4 percent of the company’s total global annual revenue, whichever is higher
The enforcement of these fines is carried out by data protection authorities in each EU member state, which assess the situation based on various factors, including the nature and gravity of the infringement.
The CCPA/CPRA also imposes penalties for noncompliance, including the failure to establish necessary contracts like DPAs. Businesses that violate the CCPA can be subject to civil penalties of up to USD 2,500 for each unintentional violation and up to USD 7,500 for each intentional violation.
Signing the DPA as a controller
When signing a DPA as a controller, you’re the entity that determines why and how personal data will be processed.
You must ensure that the agreement clearly outlines how the processor can use personal data, and verify that the processor commits to complying with all relevant data privacy laws. The processor should agree to process data only based on your explicit instructions.
You are ultimately responsible for the data processing activities, which means you must consider the implications of any international data transfers and ensure that the processor complies with all relevant regulations.
By meticulously reviewing and signing the DPA, you ensure that the processor is legally bound to protect the personal data in line with your regulatory obligations, helping you achieve compliance.
Signing the DPA as a processor
When signing a DPA as a processor, you’re the entity processing personal data on the controller’s behalf. You’re also responsible for complying with the obligations specifically laid on you under the different data privacy laws.
You must agree to process personal data only based on the controller’s written instructions, and ensure that all personnel authorized to process the personal data are bound by confidentiality obligations, either through employment contracts or other legal agreements.
You should also ensure that the DPA accounts for all applicable data privacy laws and be prepared to provide the controller with all information necessary to demonstrate compliance with data protection obligations.
You’re responsible for ensuring that any sub-processors you engage comply with the terms of the DPA, and you must obtain the controller’s consent before engaging sub-processors.
How to create a data processing agreement
There is no mandated process for drafting a DPA under any of the regulations that require it. Businesses are free to draft a DPA themselves, use a template or guide, or engage a qualified legal professional to draft the DPA for them.
The United Kingdom’s Data Protection Authority, the Information Commissioner’s Office (ICO), has published a checklist you can use as a starting point if you wish to draft a DPA yourself.
It is advisable to consult a qualified legal professional or privacy expert, such as a Data Protection Officer (DPO), to draft or review your DPA. Since a DPA is a binding legal agreement, professional guidance helps to confirm that it complies with all the requirements of the relevant privacy laws, enhancing your DPA compliance.
A legal expert can help tailor the agreement to your specific data processing activities and identify any potential legal pitfalls.
A data processing agreement (DPA) is a legally binding contract between a data controller and a data processor that outlines the terms and conditions for processing personal data. It specifies each party’s responsibilities and is meant to ensure compliance with relevant data protection laws, such as the GDPR or CCPA/CPRA. The DPA sets out how personal data should be handled, protected, and managed to safeguard the rights and privacy of individuals.
Yes, data processing agreements (DPAs) are legally required under data protection laws like the GDPR and CCPA/CPRA when a data controller engages a third-party data processor to handle personal data on its behalf.
There’s no legal requirement that the DPA should be a separate document. It can be incorporated into a broader contract, such as a master services agreement, as long as it includes all the required clauses mandated by relevant data protection laws.
However, considering the importance of the DPA in achieving regulatory compliance and the detailed provisions required, it is advisable to create a separate contract. A standalone DPA can be more easily reviewed and updated based on changes in regulations or your data processing activities and policies.
Not having a DPA when required can result in legal penalties, including substantial fines under regulations like the GDPR and CCPA/CPRA. It also increases the risk of damage to your organization’s reputation.
A DPA is needed whenever a data controller engages a third-party processor to handle personal data on their behalf. This applies to any processing activities that involve personal data.
Yes, the GDPR explicitly requires a DPA under Art. 28 whenever a data controller uses a data processor to process personal data. The DPA must include specific provisions outlined in the regulation.
The purpose of a DPA is to establish legally binding terms for how a data processor handles personal data on behalf of a data controller. It enables compliance with data protection laws, outlines responsibilities, and protects the rights of data subjects.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.
