Data Processing Agreement (DPA) template
Looking for a better way to create reliable Data Processing Agreements for your business? Generate Data Processing Agreements (DPAs) more efficiently with this free template.
Looking for a better way to create reliable Data Processing Agreements for your business? Generate Data Processing Agreements (DPAs) more efficiently with this free template.
Personal data is extremely valuable, and it needs to be protected appropriately by all parties it falls into the hands of. Data Processing Agreements are an effective way to achieve this. But what actually is a DPA, and what does a good Data Processing Agreement template include? Let’s find out.
A Data Processing Agreement (DPA) is a binding agreement between data controllers and data processors that establishes which actions each party must take to protect individuals’ personal data.
Put simply, it is a contract that seeks to regulate the relationship between a data controller and the party they employ to process data on their behalf. It does this by explaining:
Let’s explore this relationship in a little more detail now.
There are two main parties to a Data Processing Agreement: data controllers and data processors.
Let’s cut the jargon for a second. Who actually are data controllers and data processors, and what are their typical obligations under a DPA?
A ‘data controller’ is usually a company that needs to collect and process individuals’ data but doesn’t have the resources to do so alone.
While they may outsource this data processing to a third party (the data processor), data controllers retain control over how this processing happens, and they are ultimately responsible for the processing overall.
Data controllers are usually companies, but they can also be any other legal entity that makes decisions about data processing, including sole traders, freelancers, or public authorities.
Meanwhile, data processors are third parties that data controllers ask to process this data for them. Although data processors are tasked with processing individuals’ personal data, they must do so according to the data controller’s requests.
The data processor is typically a specialist service provider that has the resources and knowledge to process data, and the data controllers pay them to do so.
To summarize: the data processor is an individual or company that processes the data on behalf of the controller and under their specific instructions.
A Data Processing Agreement is required whenever your business outsources data processing tasks to a third party. Ultimately, if you’re collecting data from your consumers and passing this on to a third party or specialist to process for you, you need to create a Data Processing Agreement.
This is the rule under the GDPR, which governs countries within the EU. However, it’s important to note that all companies, including those based outside the EU, must comply with these rules if they offer goods or services to EU residents, or collect their personal data.
But Data Processing Agreements aren’t exclusively required under EU law. Various jurisdictions have data protection laws that also require the use of a Data Processing Agreement, for example:
So far we’ve discussed what a Data Processing Agreement is, who uses them and when they’re necessary. But what actually needs to be covered inside one?
Like most standardized contracts, most DPAs include similar clauses:
We’re going to explore these core clauses in a bit more detail now.
Like most business contracts, a Data Processing Agreement template should briefly define any legalese contained within the contract. This helps to ensure that all of the contracting parties understand clearly what is expected of them before they enter into the agreement and become legally bound by it.
This section of a Data Processing Agreement template will typically include definitions of what data controllers and data processors are, as well as explanations of other complex and technical terms.
Be warned: there tend to be a lot of these!
Data Processing Agreement templates should also clearly outline the scope of the agreement.
This typically involves clarifying which activities are involved in data processing, how long the processing will happen for, and which types of personal data are being collected.
This aspect of the DPA template should also cover what the purpose of this data processing actually is, who the data subjects are, and which party is responsible for ensuring compliance with the relevant legislation.
"It’s a common misconception that privacy and compliance sit with the legal team. In truth, everyone is responsible" - Karima Noren, Co-founder, The Privacy Compliance Hub
Since data processors will be responsible for handling and processing individuals’ personal data, there will inevitably need to be some rules about confidentiality in place.
For example, a typical DPA template will state that access to individuals’ personal data must be restricted to members of their processing team only, and that this access should be limited to what is strictly necessary in order to achieve the purpose of the contract.
It will also describe how those that do have access to personal data for processing purposes are legally required to keep this information confidential. Businesses can also use confidentiality agreements, or employee confidentiality agreements to achieve this.
Next, the Data Processing Agreement must establish the specific responsibilities of the data controller. It’s typical for these obligations to include providing instructions to the data processor, as well as assuming responsibility for both parties’ compliance with data protection laws. However, this section of a DPA may also list more specific duties, too.
Either way, all of these contractual obligations must be described clearly to ensure that all parties are fully aware of who is responsible and liable for what.
Importantly, it isn’t only the data controller that has responsibilities under the DPA. The data processor will also need to fulfil certain obligations, and these are also listed within a Data Processing Agreement.
For example, according to Article 28(3)(a) of the GDPR, a Data Processing Agreement template must emphasize that the data processor is only allowed to process personal data in the ways instructed by the data controller. Similarly, the data processor will also be responsible for implementing any appropriate technical and organizational measures that ensure the security of the data.
This section of the DPA will also outline what the data processor is prohibited from doing, like making copies of the data without the knowledge and approval of the data controller - among some other stuff!
Importantly, a Data Processing Agreement should also include a clause about the data subject’s rights. After all, it is their data that’s being handled in the first place.
This section of the GDPR Data Processing Agreement template will often refer to the rights that data subjects are entitled to under the GDPR, including the right to rectify, delete or complete their personal data records.
If the DPA doesn’t outline these rights individually, it will likely refer to the section of the GDPR that does. These rights are also similar to those detailed within a privacy policy. However, by reciting them within the DPA, you can ensure that third-party data processors are also aware of these rights and how to respect them.
In the event that a data processor decides to employ someone else to help with the processing (also known as a sub-processor), the Data Processing Agreement template will need to establish the rules that regulate this relationship, too.
For example, the template for a Data Processing Agreement might state that the data processor can’t engage another data processor (a sub-processor) without first receiving permission from the data controller.
It could also explain that a separate contract needs to be created if the data processor does decide to hire a sub-processor, and that the data processor is liable to the controller if the sub-processor fails to comply with the data protection rules.
It sounds a bit confusing at first, but fear not. Article 28(3)(d) of the GDPR describes exactly what this section of a DPA template should cover in more detail.
In order to protect the interests of the data subjects, a Data Processing Agreement template should also establish the processes for both data retention and deletion.
It should explain how long data is to be retained for, how it is to be stored, and when it will need to be deleted, for example. This is important information since the consumer can request that their personal data is deleted at any time, and data controllers and processors are both expected to respond promptly to this request.
"Thinking of privacy from the outset and incorporating it every aspect of the business will prevent mistakes that cause data breaches" - Karima Noren, Co-founder, The Privacy Compliance Hub
Lastly, the Data Processing Agreements need to describe which security measures are in place to protect individuals’ personal data. This section of the contract will establish which specific actions the data processor must take to ensure the security of individuals’ data.
Data controllers are expected to have various safeguards in place to protect the data from unauthorized use and data breaches. These safeguards often involve technical measures. But don’t worry, we won’t lecture you about these here since most are described within our free Data Processing Agreement template anyway!
As we’ve just discussed, a lot of information goes into a Data Processing Agreement. Fortunately, a lot of the clauses that need to be included when drafting a contract between data controllers and processors are already outlined in data protection legislation.
This, in theory, makes the authoring process easier. At least, that’s the intention, anyway.
But writing a Data Processing Agreement from scratch still won’t be simple. You’ll inevitably face many of the same barriers you’d expect when drafting other commercial contracts manually.
Drafting contracts from scratch is incredibly time-consuming since it often involves a repetitive process of copying and pasting different sections from static templates, making edits, and reviewing these. The more time in-house legal teams dedicate to drafting DPAs, the less time they have for higher-value work.
Without a robust Data Processing Agreement template in place, or a contract automation tool to generate DPAs, creating them can be a big distraction for lean legal teams, and a significant drain on resources.
For businesses that work with data processors and controllers frequently, drafting DPAs one by one simply isn’t scalable. For standard contracts like Data Processing Agreements, it’s much more efficient to vary the terms within a contract template, which can be done with ease using a tool that offers conditional logic.
"The last thing you want is for legal to block expansion, so be proactive about the privacy landscape you’ll face tomorrow - not just today" - Julie Ngov, Head of Legal, Clearscore
Since DPAs regulate the processing and management of individuals’ personal data, there’s a lot at stake if these contracts go wrong. That’s why lawyers want to retain oversight of these agreements.
The problem is, this is notoriously difficult to do when contracts are created in tools like Microsoft Word and there are multiple versions floating around. How can legal know which version of a DPA is the most recent version? How can they monitor which terms are being included when there’s no template or rules in place?
It’s every lawyer’s worst nightmare.
Fortunately, manual contract processes are slowly being replaced by more efficient ones. Rather than creating patchwork contracts using copy and paste, the businesses of today can automate Data Processing Agreements using contract templates that have been pre-approved by legal.
“How?” you ask. Well, Juro’s AI-enabled contract management software enables business users to initiate simple contracts from templates pre-defined by legal users and populate these within seconds.
Not only that, but Juro users can also negotiate, sign, store and search through contracts within the platform, meaning you’ll never have to look high and low to find an old DPA again.
Juro’s AI contract collaboration platform enables your team to create, execute and manage contracts 10x faster than traditional tools. With Juro, you can:
To find out more about how Juro can speed up the process of creating, signing and managing contracts, book a personalized demo of the platform today.
If you’re ready to get started with generating your DPAs, hit the button at the top to try our template in Juro or download the PDF version today. To find out more about what Juro can do for your business, fill in the form below.
Although there is no legal requirement for data controllers and data processors to create a separate legal agreement, it’s certainly a good idea. After all, Data Processing Agreements are complex contracts, and the contents can’t fit easily within an ordinary business contract between the parties.
A data processing agreement is a legally binding contract between the data controller and data processor that outlines their obligations to one another and the data subject.
You are legally required to have a Data Processing Agreement in place if you rely on a third party to process individuals’ personal data on your behalf. This is the law under the GDPR, but other jurisdictions have similar rules.
The main difference between a Data Processing Agreement (DPA) and a Data Sharing Agreement (DSA) is that a DPA applies in the context of processing data, but a DSA is used when organisations share consumers’ personal data between them.
This means that DPAs are used to regulate the sharing and processing of data between a controller and a processor. Meanwhile, a DSA is used to regulate the sharing of data between two controllers instead.
Juro is the #1-rated contract platform globally for speed of implementation.
Modern businesses use Juro to automate contracts from drafting to signature and beyond, in one intuitive platform that every team can use. Want to see how?
Sign me up