A Data Processing Agreement (DPA) is an essential requirement under many data protection laws, like the GDPR.
In this guide, we’ll explain the DPA meaning, when you need one, how to write a DPA, and give you a handy template that you can use for your Data Processing Agreements.
DPA stands for Data Processing Agreement. A Data Processing Agreement is a legally binding contract between two parties: a company or organization that controls personal data (called the “data controller”) and a third-party service provider or partner that processes this data on their behalf (called the “data processor”).
The agreement sets out the rules and requirements for how the data processor must handle, protect, and use personal data, ensuring it is kept safe and used only for the specific purposes allowed by law and agreed upon by both parties.
The DPA meaning can vary depending on what you’re looking for. In data protection, the same acronym can be used to describe a Data Protection Authority, the national authority that regulates and enforces data protection laws in each country.
Most data protection laws require an agreement between a data controller and its processors:
So – no matter where you are based – if you’re a controller who needs to assign certain processes to a contractor, or you are the processor who needs to carry out the processing on behalf of the controller, you should likely sign a DPA agreement.
An e-commerce business that relies on dropshipping is a good example of processing on behalf of someone else. Let’s say you are the owner of an e-commerce store, but you rely on a contractor to ship your customers’ orders. You would need to share your customers’ personal information with the contractor so that they can fulfill the order. Before doing so, you must sign a data processing agreement.
As set out in Article 28 of the GDPR, a DPA contract should include:
The subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
Let’s break it down to understand the DPA meaning better.
The first section should clearly identify the controller and the processor, and define their responsibilities in regard to the processing. By signing the DPA, the processor agrees to act only on the instructions of the controller.
In this section, you should outline the scope of the agreement, that is what data processing activities the processor will handle on behalf of the controller and for what purpose.
Do not forget to include:
The processor agrees to process the data in accordance with the law and to apply all the security measures necessary to protect the data from misuse or breaches. The controller will review and approve the security measures applied by the processor.
You should also include the specific technical and organizational security measures that the processor must implement to protect personal data, such as encryption, access controls, or regular security audits and ensure that the processor provides sufficient guarantees to this effect.
Specify whether data transfers abroad are allowed:
In this section, specify that the processor should help the controller respond to data subject requests (e.g., requests for data access, correction, deletion) and he must assist in fulfilling these requests promptly, following the controller’s instructions.
Besides complying with the requirements set out in the DPA agreement, the processor also commits to meet all applicable requirements according to law. For example, he must:
At the same time, the processor can outsource part of its activity to a sub-processor.
This section of the DPA specifies that sub-processors are subject to the same rules defined in the contract, but the processor may be considered responsible for their activity if the sub-processors fail to carry out their duties.
The processor should also include a list of all sub-processors that he intends to rely on.
The controller has the right to carry out audits on the activity of the processor, to check whether he’s complying with the DPA contract and following the law as required. The processor will not hinder the audits.
The processor must promptly notify the controller of any data breaches. In the DPA, outline the procedure for such notifications, including the timeframe, information to be provided, and any assistance in responding to the breach.
This clause is very important to address potential problems. You should outline each party’s liability for data breaches or violations of the DPA.
According to Article 82 of the GDPR, if a data subject believes that his data has been processed unlawfully, both parties can be held liable. Therefore, he can seek compensation from either the controller or the processor, or both. Later, the controller and processor can settle any responsibility between themselves.
Outline the conditions under which the DPA may be terminated and the procedure for the secure handling of data upon termination. Normally, all data processed by the processor on behalf of the controller must be deleted or returned further to the termination of the DPA unless the processor is legally obliged to retain storage of the personal data.
As you understand from the DPA meaning, both the data controller and the data processor need to sign the Data Processing Agreement.
To have a clearer idea of how all these elements come together in a DPA, let’s take a look at a practical example.
As a SaaS business, we at iubenda had to create our Data Processing Agreement, which has become a binding part of our contractual relationship with our users. Click on the button below to open it:
You can use our document as a footprint for yours, or better, download our DOC template – that you can customize to your needs!
We’ve got your back! We’ve created a handy DOC template that you can download and adapt to your activity. Download it here 👉 Data Processing Agreement (GDPR Template)
Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.
