Data Processing Agreement (DPA) template
Looking for a better way to create reliable Data Processing Agreements for your business? Generate Data Processing Agreements (DPAs) more efficiently with this free template.
Personal data is extremely valuable, and it needs to be protected appropriately by all parties it falls into the hands of. Data Processing Agreements are an effective way to achieve this. But what actually is a DPA, and what does a good Data Processing Agreement template include? Let’s find out.
What is a Data Processing Agreement (DPA)?
A Data Processing Agreement (DPA) is a binding agreement between data controllers and data processors that establishes which actions each party must take to protect individuals’ personal data.
Put simply, it is a contract that seeks to regulate the relationship between a data controller and the party they employ to process data on their behalf. It does this by explaining:
- What their responsibilities are
- Which processes should be used
- How to ensure compliance
- How to process and store data in a secure way
Let’s explore this relationship in a little more detail now.
Who are the parties in a Data Processing Agreement?
There are two main parties to a Data Processing Agreement: data controllers and data processors.
Let’s cut the jargon for a second. Who actually are data controllers and data processors, and what are their typical obligations under a DPA?
1. Data controllers
A ‘data controller’ is usually a company that needs to collect and process individuals’ data but doesn’t have the resources to do so alone.
While they may outsource this data processing to a third party (the data processor), data controllers retain control over how this processing happens, and they are ultimately responsible for the processing overall.
Data controllers are usually companies, but they can also be any other legal entity that makes decisions about data processing, including sole traders, freelancers, or public authorities.
2. Data processors
Meanwhile, data processors are third parties that data controllers ask to process this data for them. Although data processors are tasked with processing individuals’ personal data, they must do so according to the data controller’s requests.
The data processor is typically a specialist service provider that has the resources and knowledge to process data, and the data controllers pay them to do so.
To summarize: the data processor is an individual or company that processes the data on behalf of the controller and under their specific instructions.
When is a Data Processing Agreement required?
A Data Processing Agreement is required whenever your business outsources data processing tasks to a third party. Ultimately, if you’re collecting data from your consumers and passing this on to a third party or specialist to process for you, you need to create a Data Processing Agreement.
This is the rule under the GDPR, which governs countries within the EU. However, it’s important to note that all companies, including those based outside the EU, must comply with these rules if they offer goods or services to EU residents, or collect their personal data.
But Data Processing Agreements aren’t exclusively required under EU law. Various jurisdictions have data protection laws that also require the use of a Data Processing Agreement, for example:
What should a Data Processing Agreement template include?
So far we’ve discussed what a Data Processing Agreement is, who uses them and when they’re necessary. But what actually needs to be covered inside one?
Like most standardized contracts, most DPAs include similar clauses:
- The scope of the agreement
- Rules on confidentiality
- Responsibilities of the data controller
- Responsibilities of the data processor
- Rights of the data subject
- Rules on sub-processing
- Data retention and deletion processes
- Security measures
We’re going to explore these core clauses in a bit more detail now.
Like most business contracts, a Data Processing Agreement template should briefly define any legalese contained within the contract. This helps to ensure that all of the contracting parties understand clearly what is expected of them before they enter into the agreement and become legally bound by it.
This section of a Data Processing Agreement template will typically include definitions of what data controllers and data processors are, as well as explanations of other complex and technical terms.
Be warned: there tend to be a lot of these!
2. The scope of the agreement
Data Processing Agreement templates should also clearly outline the scope of the agreement.
This typically involves clarifying which activities are involved in data processing, how long the processing will happen for, and which types of personal data are being collected.
This aspect of the DPA template should also cover what the purpose of this data processing actually is, who the data subjects are, and which party is responsible for ensuring compliance with the relevant legislation.
3. Rules on confidentiality
Since data processors will be responsible for handling and processing individuals’ personal data, there will inevitably need to be some rules about confidentiality in place.
For example, a typical DPA template will state that access to individuals’ personal data must be restricted to members of their processing team only, and that this access should be limited to what is strictly necessary in order to achieve the purpose of the contract.
It will also describe how those that do have access to personal data for processing purposes are legally required to keep this information confidential.
4. Responsibilities of the data controller
Next, the Data Processing Agreement must establish the specific responsibilities of the data controller. It’s typical for these obligations to include providing instructions to the data processor, as well as assuming responsibility for both parties’ compliance with data protection laws. However, this section of a DPA may also list more specific duties, too.
Either way, all of these contractual obligations must be described clearly to ensure that all parties are fully aware of who is responsible and liable for what.
5. Responsibilities of the data processor
Importantly, it isn’t only the data controller that has responsibilities under the DPA. The data processor will also need to fulfil certain obligations, and these are also listed within a Data Processing Agreement.
For example, according to Article 28(3)(a) of the GDPR, a Data Processing Agreement template must emphasize that the data processor is only allowed to process personal data in the ways instructed by the data controller. Similarly, the data processor will also be responsible for implementing any appropriate technical and organizational measures that ensure the security of the data.
This section of the DPA will also outline what the data processor is prohibited from doing, like making copies of the data without the knowledge and approval of the data controller - among some other stuff!
6. Rights of the data subject
Importantly, a Data Processing Agreement should also include a clause about the data subject’s rights. After all, it is their data that’s being handled in the first place.
This section of the GDPR Data Processing Agreement template will often refer to the rights that data subjects are entitled to under the GDPR, including the right to rectify, delete or complete their personal data records.
7. Rules on sub-processing
In the event that a data processor decides to employ someone else to help with the processing (also known as a sub-processor), the Data Processing Agreement template will need to establish the rules that regulate this relationship, too.
For example, the template for a Data Processing Agreement might state that the data processor can’t engage another data processor (a sub-processor) without first receiving permission from the data controller.
It could also explain that a separate contract needs to be created if the data processor does decide to hire a sub-processor, and that the data processor is liable to the controller if the sub-processor fails to comply with the data protection rules.
It sounds a bit confusing at first, but fear not. Article 28(3)(d) of the GDPR describes exactly what this section of a DPA template should cover in more detail.
8. Data retention and deletion processes
In order to protect the interests of the data subjects, a Data Processing Agreement template should also establish the processes for both data retention and deletion.
It should explain how long data is to be retained for, how it is to be stored, and when it will need to be deleted, for example. This is important information since the consumer can request that their personal data is deleted at any time, and data controllers and processors are both expected to respond promptly to this request.
9. Security measures
Lastly, the Data Processing Agreements need to describe which security measures are in place to protect individuals’ personal data. This section of the contract will establish which specific actions the data processor must take to ensure the security of individuals’ data.
Data controllers are expected to have various safeguards in place to protect the data from unauthorized use and data breaches. These safeguards often involve technical measures. But don’t worry, we won’t lecture you about these here since most are described within our free Data Processing Agreement template anyway!
How do you write a Data Processing Agreement?
As we’ve just discussed, a lot of information goes into a Data Processing Agreement. Fortunately, a lot of the clauses that need to be included when drafting a contract between data controllers and processors are already outlined in data protection legislation.
This, in theory, makes the authoring process easier. At least, that’s the intention, anyway.
But writing a Data Processing Agreement from scratch still won’t be simple. You’ll inevitably face many of the same barriers you’d expect when drafting other commercial contracts manually.
1. Lack of time
Drafting contracts from scratch is incredibly time-consuming since it often involves a repetitive process of copying and pasting different sections from static templates, making edits, and reviewing these. The more time in-house legal teams dedicate to drafting DPAs, the less time they have for higher-value work.
Without a robust Data Processing Agreement template in place, or a contract automation tool to generate DPAs, creating them can be a big distraction for lean legal teams, and a significant drain on resources.
2. Unscalable process
For businesses that work with data processors and controllers frequently, drafting DPAs one by one simply isn’t scalable. For standard contracts like Data Processing Agreements, it’s much more efficient to vary the terms within a contract template, which can be done with ease using a tool that offers conditional logic.
3. Loss of control
Since DPAs regulate the processing and management of individuals’ personal data, there’s a lot at stake if these contracts go wrong. That’s why lawyers want to retain oversight of these agreements.
The problem is, this is notoriously difficult to do when contracts are created in tools like Microsoft Word and there are multiple versions floating around. How can legal know which version of a DPA is the most recent version? How can they monitor which terms are being included when there’s no template or rules in place?
It’s every lawyer’s worst nightmare.
Is there a better way to create a Data Processing Agreement?
Fortunately, manual contract processes are slowly being replaced by more efficient ones. Rather than creating patchwork contracts using copy and paste, the businesses of today can automate Data Processing Agreements using contract templates that have been pre-approved by legal.
“How?” you ask. Well, Juro’s all-in-one contract automation software enables business users to initiate simple contracts from templates pre-defined by legal users and populate these within seconds.
To make it even easier to generate DPAs, we’ve even created a free DPA template for you to use.
Try our free Data Processing Agreement template
If you’re ready to get started with generating your DPAs, hit the button at the top to try our template in Juro or download the PDF version today. To find out more about what Juro can do for your business, fill in the form below.
Frequently asked questions
Does a DPA need to be a separate legal document?
Although there is no legal requirement for data controllers and data processors to create a separate legal agreement, it’s certainly a good idea. After all, Data Processing Agreements are complex contracts, and the contents can’t fit easily within an ordinary business contract between the parties.
Is a Data Processing Agreement a contract?
A data processing agreement is a legally binding contract between the data controller and data processor that outlines their obligations to one another and the data subject.
Is a Data Processing Agreement a legal requirement?
You are legally required to have a Data Processing Agreement in place if you rely on a third party to process individuals’ personal data on your behalf. This is the law under the GDPR, but other jurisdictions have similar rules.
What is the difference between a Data Processing Agreement and a Data Sharing Agreement?
The main difference between a Data Processing Agreement (DPA) and a Data Sharing Agreement (DSA) is that a DPA applies in the context of processing data, but a DSA is used when organisations share consumers’ personal data between them.
This means that DPAs are used to regulate the sharing and processing of data between a controller and a processor. Meanwhile, a DSA is used to regulate the sharing of data between two controllers instead.