Articles

What is a Data Processing Agreement (DPA) Playbook

Data Protection Agreement

What is a Data Processing Agreement (DPA)?

A DPA is a contract between a controller and a processor that explains
what personal data is processed, why, and how. It follows GDPR rules in
Articles 28–36 and sets out everyone’s responsibilities, including any sub-processors.

Who signs: the controller and the processor.
Format: can be signed on paper or electronically.
What it covers: purpose and scope of processing, instructions, security, roles, and oversight.
Legal basis: GDPR Articles 28–36.
Sub-processors: included where used, with the same obligations flowing down.

Not a “sign and forget” document: Per EDPB Opinion 22/2024, controllers should
keep monitoring that processors (and sub-processors) actually follow Article 28(3).
The DPA is essential, but ongoing oversight is needed to stay GDPR-compliant.

Key Roles and Concepts

The controller refers to the person that determines the purpose for which and the means by which personal data is processed.
The processor refers to processes personal data only on the behalf of the controller.
The sub-processor is a further-level processor that is involved with the processor in accordance with the consent of the controller to part-take in the processing.
Joint-controllers are two or more controllers that jointly determine purposes and means. The usual contract between joint-controllers is not the DPA but a Joint Controller Agreement (JCA).

Elements of a DPA (Short & Easy)

Written and executed by both parties.
Processor acts only on the controller’s documented instructions (including international transfers), unless EU or Member State law requires otherwise.
Conflicts are resolved in ways that protect the data subject.
Instructions are written and reproducible (e.g., email) and retained as records.
The controller retains overall control of personal data.
States purpose, duration (start/end), and termination conditions.
Explains context (e.g., marketing analysis) and intended outcomes (e.g., improve services, meet legal duties).
Specifies whose data is processed (e.g., employees) and by whom.
Lists data types (e.g., names, addresses) and notes sensitivity.
Requires confidentiality commitments from anyone processing the data (unless already bound by statute).
Sets out the controller’s and processor’s obligations and responsibilities.
Requires appropriate technical and organisational measures, including:
- encryption and pseudonymisation;
- confidentiality, integrity, availability, and resilience;
- restoration of access after incidents;
- regular testing and assessment of measures.
No sub-processor without prior specific or general written authorisation.
With general authorisation, the processor must notify intended changes and allow objections.
Flow down the same obligations to sub-processors by contract; processor remains liable.
Processor assists the controller to:
- keep data secure;
- notify the supervisory authority about personal data breaches;
- carry out DPIAs when required;
- consult the supervisory authority where high risk remains.
Provide information demonstrating Article 28 compliance; allow audits/inspections by the controller or appointed auditor.
Keep processing records (Article 30), where applicable.
Detail cross-border transfers and how they comply; if no adequacy, include TIAs plus SCCs and any supplementary safeguards.
Define retention and specify how data is erased or returned; delete existing copies unless the law requires storage.
Post-contract protection and confidentiality remain binding.

A useful tip that will save your time

The same details are described in the records of processing activities. We recommend first creating your records of processing activities and then filtering activities related to the processor or controller you are signing the data processing agreement with.
In GDPR Register, activities and data processing agreements are interconnected. So you will easily find such information and integrate it into your agreement.
Learn more about GDPR Register.

Why is a DPA Necessary?

Legal compliance of all involved parties is the primary reason for DPAs. As a central pillar of operating business is processing personal data and exchanging it with other businesses, it is necessary for businesses to construct a lawful DPA with the party they exchange personal information with in order to avoid injustice and conflict of interest in the future.

GDPR doesn’t have legal restrictions on the form of the DPA, however, exceptionally in situations where the processor is located outside the EU and international data transfer happens, there are some specific requirements to the format of documentation, such as standard contractual clauses (SCC), binding corporate rules (BCR), etc. It is advised to have a DPA as a separate document for clarity and security.

Furthermore, a key benefit of DPA is risk minimisation referring to how your organisations can minimise the impact of data breaches or unauthorised access by having clear definitions of controller and processor roles. Additionally a DPA demonstrates how your organisation protects the rights of individuals hence having a strong emphasis on individual rights protection.

Similarly, building stakeholder trust is very crucial for data protection. DPAs aim to build this trust through transparency by including adequate security measures and data processing protocols. Moreover, with a comprehensive DPA, parties involved may enhance collaboration which strengthens efficient data processing. In general, DPAs can help support your long-term business relationships.

Additionally, according to Articles 28 through 36 of the GDPR, on an individual basis, if you exchange personal data with other parties, you should have a DPA in place.

Controller’s Role in DPA

Establish a lawful data process and observe the rights of data subjects.
Carefully define how data processing will take place and under what conditions.
Ensure to have a DPA with our processors.
Ensure to continuously verify processor’s compliance with the DPA and the GDPR.
Inform the supervisory authorities within 72 hours of a data breach as stated under Article 33 of GDPR.

Processor’s Role in DPA

Handle the data exclusively in the manner demanded by the controller.
Place adequate information security.
Don’t use sub-processors without the knowledge and consent of the controller.
Cooperate with the authorities in the event of an inquiry.
Report data breaches to the controller as soon as we face them.
Give the data controller the opportunity to carry out audits examining their GDPR compliance.
Help the controller to comply with data subjects’ rights.
Notify the controller on any occurring data breaches without undue delay within 24–48 hours, so that the controller can fulfill its obligation under Article 33 of GDPR to inform the supervisory authorities of data breaches within the respectful 72 hours.
Delete or return all personal data at the end of the contract at the choice of the controller.
Inform the controller if the processing instructions infringe GDPR.

Sub-processor’s Role in DPA

Perform data processing on behalf of the processor.
Have a DPA with any processor that requires our involvement in the processing of data.
Engage with the processor until the processor has obtained prior consent from the controller.

Joint Controller’s Role in DPA

According to Article 26 of the GDPR, joint controllers are two or more controllers jointly determining the purposes and means of processing. Regardless of those arrangements, each controller remains responsible for complying with all the obligations of controllers under the GDPR.

Possess a transparent arrangement that sets out roles you have agreed upon and responsibilities.
Preferably, according to the European Data Protection Board (EDPB) recommends in its guidance to obtain a binding document such as a Joint Controller Agreement or other binding act under EU or Member State law to which the controllers are subject.
Include the requirement of making the Joint Controller Agreement available to data subjects your privacy policy, for increased transparency and accountability.

The Joint Controller Agreement must provide certainty and could be used to evidence transparency and accountability. Indeed, in case of non-compliance with the agreed allocation provided in the arrangement, its binding nature allows one controller to seek the liability of the other for what was stated in the Joint Controller Agreement as falling under its responsibility. The essence of such agreements should be made available to data subjects.

What EU Regulations Require DPAs?

Various EU regulations refer to data protection and DPAs. The following regulations refer to the obligation of signing DPAs or equivalent contracts, or otherwise are involved in data handling:

Law Enforcement Directive (EU) 2016/680 (LED)
European Data Protection Board (EDPB) guidance
Standard Contractual Clauses (SCCs)
EU Data Governance Act (EU) 2022/868
EU Data Act (Regulation (EU) 2023/2854)
Digital Services Act (DSA)
Digital Markets Act (DMA)

What Other Regulations Require DPAs?

Similarly, different countries have adopted the requirement of signing DPAs just like EU’s GDPR:

Brazil LGPD
Dubai PDPA
EU GDPR
South Africa POPIA
Thailand PDPA
UK GDPR
US California CCPA/CPRA
US Colorado CPA
US Connecticut DPA
US Virginia CDPA

International Transfers of Personal Data

For international trade and international cooperation, personal data must flow into and out of the European Union. A Third Country is any country outside the European Economic Area (the “EEA”), but the transfer of such personal data from the EU to controllers and processors located outside the EU should not reduce the level of protection of the individuals concerned. The General Data Protections Regulation Chapter V should therefore be strictly followed when transferring data to third countries or international organisations.

There are different basis for transfer available and they influence how the Data Processing Agreement is formulated.

Transfer Based on Adequacy Decision Covered by GDPR Article 45

The existence of an “adequacy decision” should be taken into account before transferring personal data to a third country. An adequacy decision means that the European Commission has determined that a third country or an international organization provides an adequate level of data protection.

The European Commission considers factors like laws, adherence to human rights and freedoms, national security, data protection authority, and legally binding agreements the country has made regarding data protection when determining whether the level of protection is adequate.

List of Countries that Provide Adequate Level of Personal Data Protection:

Andorra
Argentina
Canada (only for commercial organisations)
Faroe Islands
Guernsey
Israel
Isle of Man
Japan
Jersey
New Zealand
Republic of Korea (South Korea)
Switzerland
United Kingdom
Uruguay
United States (only for organisations participating in the EU-US Data Privacy Framework)

For those countries there is no requirement of providing additional safeguards and standard Data Processing Agreement can be used.

Transfers Subject to Appropriate Safeguards (GDPR Article 46)

If the country where the personal data is transferred does not have the Adequacy Decision, the data can still be transferred if the controller or processor has implemented appropriate safeguards. Such protections could be:

Standard Contractual Clauses (SCC)

The European Commission has approved these sample data protection clauses, which when incorporated into a Data Processing Agreement allow for the free flow of personal data. The SCCs include rights for the people whose personal data is transferred as well as contractual obligations for the Data Exporter and Data Importer. These rights are directly enforceable by individuals against the Data Importer and Data Exporter. Between a controller and another controller, there are two sets of standard contractual clauses for restricted transfers, and between a controller and a processor, there is only one set.

The European Commission has made updated Standard Contractual Clauses available on 4th of June 2021. Therefore, from December 2022, all organizations must use the 2021 SCCs for already existing and new transfers. Nevertheless, DPAs are expected to emphasise the necessity of TIAs, and where necessary supplementary safeguards in addition to SCCs in order to ensure compliance with GDPR, EDPB guidelines, and Schrems II judgement.

Binding Corporate Rules (BCR)

Binding Corporate Rules are internal codes of conduct that operate within a multinational group of companies and are legally binding. They are applicable to the transfers of personal data from the group’s EEA entities to its non-EEA entities. This group could be a corporation or a collection of businesses that are involved in a joint economic activity, like joint ventures or franchises. BCRs are legally binding data protection rules that have been authorised by the relevant Data Protection Authority.

Two different BCR types may be approved: BCR for Controllers, which group entities use to transfer data under their control, like employee or supplier information, and BCR for Processors, which are used by organizations that act as processors for other controllers and are typically added as an addendum to the Service Agreement or Data Processing Agreement. Additional guidelines for the use of BCRs as a suitable safeguard for personal data transfers are provided in GDPR Article 47.

Approved Codes of Conduct

The GDPR’s Article 40 (3) introduced the use of Codes of Conduct as a transfer mechanism in certain situations. Codes, which are optional, specify specific data protection guidelines for various controller and processor categories. They can be a useful and effective accountability tool, providing a thorough explanation of the most appropriate, ethical, and legal behavior within a sector.

Therefore, from the perspective of data protection, codes can serve as a guide for controllers and processors who create and carry out GDPR-compliant data processing activities that give practical meaning to the data protection principles outlined in European and national law.

Codes of Conduct that are applicable to the processing of personal data by controllers and processors in more than one EU Member State and for which the EU Commission has adopted an implementing act, along with legally-binding agreements made by the controller or processor in the third country, may be used as a transfer tool.

Approved Certification Mechanisms

The Article 42(2) of the GDPR states that certification mechanisms may be created to show the existence of suitable safeguards provided by controllers and processors in third countries. Additionally, these controllers and processors would agree to adhere to the safeguards, which would include provisions for data subject rights.

Legally binding and enforceable instruments with public authorities or international organisations

According to Article 46 (2)(a) of GDPR, a restricted transfer may be made by an organisation if it is one public authority or body transferring to another public authority or body. This agreement or other document must contain enforceable rights and practical resources for the people whose personal data is transferred. This is not a suitable safeguard if either the receiving organisation or the sending organisation is a private entity or an individual. A public authority or body may consider an administrative arrangement that includes enforceable and effective individual rights as an alternative if it lacks the authority to enter into legally binding and enforceable agreements (Article 46 (3)(b) of GDPR).

Derogations for specific situations (Article 49 of GDPR)

Derogations under Article 49 are exceptions to the general rule that states that personal data may only be transferred to a third country if that country offers an adequate level of protection. Before using the derogations allowed by Article 49 (1), a Data Exporter should first try to frame transfers with one of the mechanisms guaranteeing adequate safeguards listed above. These exemptions or derogations permit transfers in certain circumstances, such as those based on consent, for the performance of a contract, for the assertion of legal claims, to safeguard the data subject’s vital interests when they are unable to give consent, or for significant public interest considerations. Additionally, the EDPB emphasises that these derogations can be used for systematic or large-scale transfers, hence they are strictly exceptional and considered in case-specific situations.

Other requirements

If required by GDPR, the data processor shall appoint a Data Protection Officer and both parties must agree on a periodic review of the terms of the DPA. Regulators advise DPAs to be continuously updated according to changes in processing activities, sub-processors and legal obligations.

Additional Information

There are various publicly available DPA templates on our website that can be used. However, ensure to responsibly only use the templates as a baseline for your DPA and customize according to your specific data flows, jurisdictions, risks and technologies.

References

Tags: