If your business collects personal information from users and relies on a third party to process the data, you’ll need a data processing agreement (DPA) to avoid fines for non-compliance under several pieces of privacy legislation around the globe.
Simply put, a data processing agreement is a contract between a data collector and the third-party services they employ to process data.
Below we’ll cover more on what a data processing agreement is, what it looks like, and why your business might need one today due to updated and new data privacy legislation.
- What Is a Data Processing Agreement (DPA)?
- Why Are Needed DPAs Needed?
- Do I Need a Data Processing Agreement?
- How Do I Create a DPA?
- What Do I Include In My DPA?
- Who Signs a DPA?
- What Are the Fines for Not Having a DPA?
- Data Processing Agreement Examples
- Tips for Negotiating a DPA
- Data Processing Agreement FAQ
- Summary
What Is a Data Processing Agreement (DPA)?
A data processing agreement — also called a data processing addendum or DPA — is a legal contract in which you determine the rights and obligations of the parties involved in data processing.
Most of the time that includes your business and any third-party services you use.
Your business is the data collector, and any third-party company helping you collect or process data would be the data processor.
A data processing agreement helps assure users that you’re taking ownership of the data collection process because you verify that the third-party processors you work with treat, handle, and store their information following relevant laws.
Why Are Needed DPAs Needed?
Data processing agreements are needed because they protect your business by contractually obligating any third-party processors you work with to comply with relevant data privacy laws.
Without a DPA in place, there’s a chance your business will be held accountable for the third party’s unlawful data processing practices, should any occur.
That said, technically, you aren’t legally obligated to use a DPA. However, these documents typically include clauses covering all guidelines and requirements outlined by the different data privacy regulations, making it easier for you to ensure compliance.
These legal agreements also help set proper customer expectations about how your company handles their personal information.
Initially, using a DPA to create legal contracts was one of the critical components of complying with the General Data Protection Regulation (GDPR).
But as of 2023, five additional US states — California, Utah, Virginia, Colorado, and Connecticut — began requiring contracts similar to DPAs, stipulating that they must include clauses covering the following components:
- Purpose of the data processing
- Type of data processed
- Data processing instructions
- Duration of data processing rights
- Obligations of both parties.
In comparison, Article 28 of the GDPR requires controllers to set a contract with their processors stating:
- Subject matter and duration of the processing
- Nature and purpose of the processing
- Type of personal data
- Categories of data subjects
- The obligations and rights of the controller
Laws That Require DPAs
All of the following data privacy laws and regulations require or will require businesses to create contracts with third-party data processors, and using a DPA satisfies those obligations:
- General Data Protection Regulation (GDPR)
- The Data Protection Act 2018 (UK GDPR)
- California Consumer Privacy Act (CCPA)
- Virginia Consumer Data Protection Act (CDPA)
- Brazil General Data Protection Law (LGPD)
- Thailand Personal Data Protection Act (PDPA)
- UAE Personal Data Protection Act (PDPA)
- South Africa Protection of Personal Information Act (POPIA)
- Colorado Privacy Act (CPA) — in force July 1, 2023
- Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) — in force July 1, 2023
- Utah’s Consumer Privacy Act (UCPA) — in force December 31, 2023
Most of these regulations have an extraterritorial scope, so they may apply to your business even if you’re outside their traditional territorial boundaries.
The specific contractual obligations also vary slightly, so click on the links to learn more about how each piece of legislation affects the contents of your DPAs.
Do I Need a Data Processing Agreement?
You may need a data processing agreement to avoid penalties for non-compliance under any previously listed data privacy laws.
The GDPR, for example, applies to any website or app that collects personal information and has visitors from the European Union (EU).
According to Article 83 of the GDPR, businesses that don’t follow the prescriptions risk paying fines up to $20 million or 4% of the global revenue — whichever is greater.
To avoid those risks, follow guidelines for GDPR compliance, including preparing a data processing agreement.
The amended CCPA also requires a contract if a business discloses personal user data to contractors, service providers, and third parties.
In the following sections, let’s define these terms and explain how they relate to DPAs.
Contractors and Service Providers
Due to the California Privacy Rights Act (CPRA) amendments to the CCPA, any entity that processes personal information on behalf of a business or receives consumer personal information for business purposes must have a written contract. You can meet this guideline using a DPA.
But there is a difference between how the CCPA defines contractors and service providers.
Legally, the definition of a contractor is broader than the definition of service provider. It includes anyone a business makes consumers’ personal information available to for business purposes.
On the other hand, a service provider is simply an entity that “processes information” for a business.
According to the amended CCPA, contractors should certify their understanding of the contractual requirements.
These contracts require sections that:
- Prohibit the selling or sharing the personal information
- Prohibit retaining, using, or disclosing personal information outside of the direct business relationship between the contractor and the business
- Prohibit the combination of personal information from different sources
- Notify the business of sub-processors
- Mandate the sub-processors by written contract to the same processing obligations
- Obligates both parties via provisions to monitor their own legal compliance
Contractors must also receive personal information directly from the business, whereas service providers can receive personal information on behalf of the business.
This implies that businesses have greater control over contractors than service providers, which is reinforced by the obligation for contractors to prove their understanding of the legal contractual requirements.
Third Parties
According to the CCPA, a third party is any entity that is not the original business with whom the consumer intentionally interacts with and that collects their personal information as part of their interaction with the original business.
So this means service providers and contractors are legally considered third parties to the business.
Under the CCPA, the contracts must include provisions claiming that the protections regarding the use limitations and privacy rules remain in place for personal information throughout the entire supply chain.
These contracts must also allow some level of due diligence by the business to help ensure third-party processing remains consistent with the new CPRA obligations that amended the CCPA.
Third parties, in turn, must notify the business if it can no longer meet its amended CCPA obligations and grant the business rights to take “reasonable and appropriate steps” to remediate unauthorized use of personal information in such cases.
How Do I Create a DPA?
Your business might work with several third parties for data processing and require multiple DPAs, so let’s talk about the following ways you can make these contracts:
- Seek out a legal professional
- Try a managed solution
- Customize a free, downloadable template
- Take a do-it-yourself (DIY) approach and write the contract yourself
Seek Legal Assistance
If you’re a massive company that deals with a lot of user data, your best option is to seek out a legal team to help you draft a DPA.
Managed Solution
One of the quickest and simplest methods for creating a DPA is to use a managed solution, like a Data Processing Agreement Generator.
While you’ll likely need to pay a small monthly or annual fee to use a managed solution, it takes all of the guesswork and confusion out of making this technical contract.
All you need to do is answer a few simple questions about your business and the third-party entity, and it will generate a compliant DPA based on your answers.
Template
If you want to make a DPA without spending a dime, try using a free, downloadable data processing agreement template.
Using a template takes more time and effort than a managed solution, but a well-written template will have some of the initial writing, formatting, and standard clauses already in place for you.
DIY
You can also take a do-it-yourself approach and write your own data processing agreements.
This is a challenging option but doable as long as you have the right technical knowledge, skills, and awareness of data privacy laws.
If you decide to take this route, read through the rest of this guide for tips on what to put in your agreement.
What Do I Include In My DPA?
The specific details of your data processing agreement depend on what privacy laws you must follow, but most of them outline all of the following information:
If you include all of the above details, your DPA should meet the legal requirements outlined by most data privacy legislation around the globe. However, in the next section, we’ll briefly list the GDPR requirements for contracts, which feature some stricter guidelines.
What Does a GDPR DPA Require?
According to Article 28, Sec 3 of the GDPR, there are eight important points you must include in your data processing agreement:
- Data processors must agree to process data only on the written instructions of the data controller.
- The two parties must agree to the sworn confidentiality of those involved in the data processing.
- You must list all measures that guarantee the security of the personal data.
- You, the data controller, must ensure the delegated functions of the data processor are not outsourced to another data processor without the knowledge and consent of the controller.
- The data processor must assist you, the controller, to comply with the GDPR concerning their commitments to the data subjects’ rights.
- The processor must assist you, the controller, in fulfilling the duties concerning compliance with GDPR, namely Article 32 (Security of Processing) and Article 36 (Prior Consulting).
- After the services are terminated, or the data has been returned to you, the controller, the processor must agree to delete every personal data.
- As the controller, you are entitled to audit the processor, who must provide all relevant information, if necessary.
This might seem like a lot, but we’ve outlined some examples of real-life data processing agreements in the next section to help inspire you when you make your contract.
You can also check out the templates on the GDPR official website.
Who Signs a DPA?
For your DPA to be legally binding, both the data controller (i.e., your business) and the data processor (i.e., the third party) must sign the data processing agreement and any of their sub-processors.
So in the next section, let’s talk about how to tell if the DPA presented to you is worth signing from both perspectives or if further negotiations should take place first.
Signing a DPA as the Data Controller
If your business hires a third party to process data, you must create and sign a DPA as the data controller.
Before you sign a data processing agreement as the data controller, ensure that it meets the following standards:
- Clearly outlines how the processor can use the personal data
- Ensure you trust that the processor can protect the data and respond quickly if issues arise
- Verify that the scope of the data collection falls within the legal basis you have for processing data
- Consider and plan for international data transfers
These are vital measures because, under regulations like the GDPR, the data controller — i.e., your business — is held responsible if a data processor causes a security breach, even if the error was on their end.
If you doubt the security practices or integrity of the third-party processors you may go into contract with, reconsider the relationship or rework the agreement.
Signing a DPA as the Data Processor
If you’re a data processor, you should still understand the ins and outs of data processing agreements, as you’ll be signing many of these contracts to do your work.
When signing a DPA as the data processor, there are a few things to look out for to ensure the contract is suitable, like:
- Verify that all applicable data privacy laws you fall under are accounted for within the contract
- Ensure that you can adequately meet all safety and security requirements
- Keep the personal data up-to-date and accurate
- Prepare a procedure for how consumers can act on their privacy rights
- Ensure all of your sub-processors also sign and can follow the stipulations in the DPA
The data processor’s responsibility is to properly store and handle consumer personal information per the DPA and any applicable data privacy laws. You also need to verify your sub-processors can do the same.
What Are the Fines for Not Having a DPA?
Failing to create a compliant DPA could result in paying hefty fines, losing the trust of your consumers, and possibly jail time.
Below, see a table comparing the potential penalties for some data privacy laws that stipulate contract requirements between data controllers and processors.
| Data Privacy Law | Penalties for Non-Compliance |
| General Data Protection Regulation (GDPR) |
|
| The Data Protection Act 2018 (UK GDPR) |
|
| California Consumer Privacy Act (CCPA) |
|
| Virginia Consumer Data Privacy Act (CDPA) |
|
| Brazil General Data Protection Law (LGPD) |
|
| Thailand Personal Data Protection Act (PDPA) |
|
| UAE Personal Data Protection Act (PDPA) |
|
| South African Protection of Personal Information Act (POPIA) |
|
| Colorado Privacy Act (CPA) – in force July 1, 2023 |
|
| Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) – in force July 1, 2023 |
|
| Utah Consumer Privacy Act (UCPA) – in force December 31, 2023 |
|
The risks aren’t worth it, have an effective and compliant DPA in place to protect your consumers’ personal data and the integrity of your business.
Data Processing Agreement Examples
Let’s look at a couple of examples of data processing agreements to see how other companies meet the requirements of data privacy regulations, like the GDPR and the amended CCPA.
Example 1: LinkedIn’s Data Processing Agreement
The first sample data processing agreement we’ll consider comes from the professional networking website LinkedIn.
Below, see a screenshot of how they organize their agreement using a simple table of contents.
We like their logical structure, as this helps both parties verify that it covers all necessary stipulations and guidelines.
They also clearly define all terms in their agreement, as shown in the screenshot below. This is an excellent idea because it clears up any confusion and limits the chances of misinterpretation.
Later in the agreement, they use tables to communicate what categories of personal data get transferred from controller to controller compared to the data that gets transferred from the controller to the processor.
As shown below, this organizes complex information clearly, which helps ensure that every party signing the agreement understands the terms.
Example 2: Yahoo’s Data Processing Agreement
Next, let’s look at the DPA for Yahoo. In the screenshot below, notice that they avoid using large walls of text, making it easier to read and understand.
We like that their document is organized neatly, and the clear headings on the left make it easy to navigate through the sections.
Below, see how simply they phrase their clause explaining their obligations regarding European privacy laws.
Finding the balance between clear language and legally compliant phrasing gets complicated, so use Yahoo’s DPA as an example of how to do this successfully.
Example 3: Mailchimp’s Data Processing Agreement
Finally, let’s look at the data processing agreement for the email marketing service Mailchimp.
They do a great job combining and communicating data processing contractual requirements from different pieces of legislation, a tricky balancing act.
Specifically, Annex C of the DPA clarifies their contractual obligations and requirements in the different terms used by the jurisdictions they are subject to — California and Canada — in addition to the GDPR.
Below, see their information regarding California data processing.
Next, compare it to their information regarding Canadian data processing.
Directly referencing data privacy laws like this is a great way to ensure you fully comply with all legal guidelines and requirements. Consider doing the same thing within your data processing agreements.
Tips for Negotiating a DPA
When negotiating a data processing agreement, you want to ensure the policy adequately follows all data privacy laws and outlines favorable business terms.
To successfully create a DPA that does both, we recommend the following steps:
Data Processing Agreement FAQ
Below, check out the most frequently asked questions we get about data processing agreements.
Are DPAs legally required?
No, technically, data processing agreements aren’t legally required, but they help businesses meet contractual obligations with third-party processors as outlined by data privacy laws like the GDPR, the amended CCPA, and the CDPA.
Is a Data Processing Agreement a contract?
Yes, a data processing agreement is a legally binding contract between a business and a third-party data processor. It explains the rights and obligations of each party concerning personal user data.
What is the difference between a Data Processing Agreement and a Data Sharing Agreement?
A data sharing agreement is typically between two data controllers — i.e., businesses — and outlines what happens to the data at each stage, how it gets shared, and how it’s used.
In contrast, a data processing agreement is a contract between a controller and a data processor that outlines security and safety measures and limits how the third party can use the data.
What is the difference between a Data Processing Agreement and a Privacy Policy?
A data processing agreement is a contract between a business and any third-party data processors to ensure user personal data is stored safely and used in ways that respect consumer rights.
In contrast, a privacy policy explains to your users what data you collect, use, and process and your legal basis for doing so.
How Do I Create a DPA?
You can create a data processing agreement using a managed solution, like a DPA generator, by downloading and customizing a free downloadable template, or by writing up the document yourself.
Summary
Having a DPA is a critical component of data privacy compliance under multiple laws, including the GDPR, the CCPA as amended by the CPRA, and more.
This legally binding contract helps you avoid hefty fines while building up trust with your clients by demonstrating that you and your data processor(s) are responsible and trustworthy.
Whether you choose to seek legal counsel, write one yourself, use a template, or access a data processing agreement generator, ensure your contracts abide by all relevant data privacy laws, appropriately limit your liabilities, and verify that any third-party processors you partner with are qualified to protect and store your consumers’ personal information adequately.
