If you want to know how to write a lawful data processing agreement (DPA), you’re in the right place. In this blog post, we’ll walk you through all the important elements of a DPA under the General Data Protection Regulation (GDPR).
Disclaimer: This blog post is not legal advice. Piwik PRO provides privacy-friendly analytics software, but doesn’t provide legal consultancy. If you’d like to make sure that you comply with HIPAA guidelines, we encourage you to consult an attorney.
What is a DPA?
GDPR imposes many obligations on those who want to collect and use personal data. One of the most important is DPAs with every party that has access to this data. A DPA or commissioned data processing clause is a legally binding document signed between the controller and the processor. It regulates the particularities of data processing, such as:
- The scope and purpose of the processing
- The relationship between these actors
- The obligations of each party under the regulation
You can also download this post as a printable checklist! Use it to check if your DPA meets the strict requirements of GDPR.
When do you need a DPA?
Whenever a data processor carries out any processing on your behalf, you need to have a written contract in place.
This means that you need a DPA, for example, when you use customer relationship management platforms (CRMs), customer data platforms (CDPs), analytics and many other types of tools designed to analyze user behavior.
The contract is important so that both parties understand their role in handling users’ personal data and their obligations arising from it. It ensures that the chain of responsibility is clear to each participant in the process.
This isn’t anything new. Signing this kind of document is required by many other data privacy regulations, including the British Data Protection Act and GDPR’s predecessor, the Data Protection Directive 95/46/EC.
That said, under GDPR the contract requirements are broader. They also help to demonstrate compliance of each party in case of an audit by data protection authorities.
According to the UK Information Commissioner’s Office:
Contracts between controllers and processors ensure that they both understand their obligations, responsibilities and liabilities. They help them to comply with the GDPR, and help controllers to demonstrate their compliance with the GDPR. The use of contracts by controllers and processors may also increase data subjects’ confidence in the handling of their personal data.
Does a DPA have to be a separate document?
There’s no legal restriction stipulating that a DPA can’t be a part of a regular contract between the processor and the controller. However, considering the complexity of the task, it’s good to create a separate document or annex to the main contract.
What should be included in a DPA?
GDPR gives some general guidance on what to include in a DPA. Based on the regulation, as well as our own experience and expertise, we’ve prepared a list of elements every data processing agreement should have.
1) General clauses
In this part of the contract you specify the terms used in the document. Among other things, you should define:
- The subject of the agreement – typically that would be all activities related to the contractual relationship between partners.
- The scope, nature and duration of data processing – how personal data will be used and which party will be responsible for compliance of the process. This liability typically rests with the data controller (you).
- The subjects of data processing – whose data you want to process, for example, children, banking clients, patients or simply website visitors. Data subjects can fall into more than one category.
- Type of data you want to process – different categories of data you want to process. This could be, for example, technical characteristics of the browser, behavioral data on website activities or IP addresses.
The controller should inform the data processor if they collect special categories of data, as there are more restrictions on the processing of particular data types. If you want to learn more about the categories of personal data, read this blog post.
- Data storage – Although GDPR doesn’t forbid companies from storing users’ personal data outside the EU, it sets restrictions for these transfers (see: Chapter 5). The processor shouldn’t send data offshore without prior consent. If data is to be kept abroad, you need to describe how the data processor should handle it to match the protection standards set by GDPR. As the instructions should be detailed, it’s worth including them in a separate clause or even an annex to the contract.
Since the end of Privacy Shield, transferring data from the EU to the US has become even trickier. Read more about it here: The invalidation of Privacy Shield and the status of EU-US data transfers
- Conditions of contract termination – Here you should state that all data about your users has to be removed from the processor’s databases after the termination of the contract. You should also detail when you have the right to terminate the agreement – for instance, if the processor fails to inform you about a data breach or makes unauthorized changes to data processing procedures.
2) Rights and responsibilities of data controllers (you)
You should also list your duties as the data controller and include the following provisions:
- You’re responsible for establishing a lawful data process and observing the rights of data subjects, including collecting data subject consents and requests.
- You’re responsible for issuing instructions about data processing, for example, appointing employees to serve as a point of contact.
To learn more about what GDPR has to say about the role of the data controller, read Article 24.
3) Responsibilities of data processors
Articles 28-36 of GDPR set out responsibilities for data processors. Among other things, they:
- Must provide adequate information security
- Shouldn’t engage sub-processors without your prior consent
- Must cooperate with the authorities in the event of an inquiry
- Must report data breaches to you as soon as they become aware of them
- May need to appoint a data protection officer
- Must give you the opportunity to carry out audits to examine their compliance
- Must keep records of all processing activities
- Must comply with EU transborder data transfer rules
- Must help you comply with data subjects’ rights, including the processing of data subject requests
- Must assist you in managing the consequences of data breaches
- Must delete or return all personal data at the end of the contract, if requested
- Must inform you if your processing instructions infringe GDPR
A DPA shouldn’t leave any room for misinterpretation. To avoid gray areas, remember to:
- Set the time frames in which the data processor must process data requests and within which the data processor has to inform you about a data breach
- Disclose contact details of your data protection officer
- Specify if and how often you plan to carry out audits on the processor and who will cover the expenses involved
That way you make sure that there are no weak links and the data processor knows exactly what you expect of them.
The provisions of this part of the contract should be adapted to the specific needs of the organization and industry-relevant requirements. Study the data processor’s responsibilities in more detail.
4) Technical and organizational measures
This point of the contract relates to systems and procedures that data processors implement to ensure the safety of personal data, facilitate compliance with the law and avoid data breaches.
According to Article 32 of the Regulation:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- The pseudonymisation and encryption of personal data
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing
The contract should state that the data processor has to implement all necessary technical and organizational measures before starting to process users’ personal data. After all, one of the key roles of a DPA is ensuring that processors provide sufficient guarantees for the protection of data.
Considering the complexity of these measures, it’s best to include them in a separate annex to the contract (see: Annex 1).
5) Sub-contractual relationships
This section sheds some more light on the relationship between the primary data processor and sub-processors (parties that process data on behalf of the processor). Here’s what to include in this part of the agreement:
- The data processor must obtain the written consent of the data controller for involving sub-processors.
- The contract between the processor and sub-processor should ensure a level of data protection comparable to that provided by a DPA.
- The data controller should be responsible for verifying sub-processors’ compliance on a regular basis (for instance, at least once every 12 months).
Also, for the sake of clarity, it’s good to list the sub-processors in a separate annex to the contract (see the section “Annex 2”).
6) Final clauses
This is a standard part of every contract. Mention here that:
- Any changes to the contract must be accepted by both parties
- A DPA supersedes all other agreements between the data processor and data controller
This will leave no room for misinterpretation in case the provisions of other agreements conflict with the requirements of the DPA.
A DPA wouldn’t be complete without annexes that elaborate the contractual arrangements. Here’s what you should include in them:
Annex 1 – Technical and organizational measures
This annex compliments the points of a DPA concerning technical and organizational measures. Here the data processor should prove their “ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services” and establish “a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing”. Both quotes are excerpts from Article 32 of GDPR.
Below is a list of areas crucial for compliance with GDPR:
Among other things, the processor should describe:
- The structure of the data center where they plan to store personal data
- Information security control protocols
- Physical access to the office and applied security measures
- Remote access to the office
- Access control for applications (software)
In this part of the contract, the data processor should prove that personal data can’t be read, copied, altered or removed by any unauthorized party during data transfers.
Availability & resilience
In this section of the annex, the processor should present their backup policies and measures used to ensure data redundancy, recoverability and high availability.
Procedures of periodic review
Here, the data processor should detail a framework for periodic evaluation of technical and organizational measures from the previous parts of the annex.
Annex 2 – List of sub-processors
Nothing difficult here – this list should include all data sub-processors, as well as the addresses of their headquarters.
Data processing agreement (DPA) under GDPR: A summary
We hope that this blog post gives you a decent idea of what a data processing agreement should look like. But we know this is a complex issue, and you might still have some unanswered questions. If so, be sure to check out some additional sources of information about drafting a DPA, including this extremely informative guide by the UK Information Commissioner’s Office.