For many organizations today, collecting the personal data of the people who visit their websites, use their products, and subscribe to their subscription services is standard operating procedure. They use that data across a variety of functions — from targeting ads to improving the marketing experience of customers — all to increase global revenue.
But for some consumers, maintaining the privacy of that data has become a critical concern. So much so, in fact, that many nations and states have put in place data protection regulations to offer their citizens peace of mind. These regulations control how citizens’ data can be used and where. And it is up to the companies that collect and process that data to abide by the rules in place.
But what happens when companies employ outside organizations to process the data, which they have collected, and then put it to use? How do they ensure data protection regulations are upheld, avoiding hefty fines or the potential loss of customer trust?
A data processing agreement (DPA) — also known as a data protection agreement or data processing addendum — fills the gap, ensuring that everyone understands their obligations and the regulations that they must abide by. A data processing agreement must be considered by any organization that collects or processes such personal data from their users or consumers, before employing third-party entities to process it.
But what is a data processing agreement exactly?
What Is a DPA?
A data processing agreement is a legally binding contract made between two parties:
- A data controller: A company that collects the personal data of its consumers or users
- A data processor: A third-party service provider that processes that data
These terms may be different depending on the jurisdiction, and a DPA (or other similar contract) is typically required between a processor and any sub-processors that they employ.
In essence, data processing agreements provide reasonable assistance in regulating the use of personal data that is being shared between the two parties, making clear the obligations of both sides and defining how that data will be used. It is different from a data sharing agreement — which is a contract between two data controllers — or a privacy policy, which outlines how the controller itself processes personal data.
Employed to protect how data is collected, shared, translated, processed, or analyzed, a data processing agreement must comply with applicable laws, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Which relevant laws will be applicable to the DPA in question depends on the location of the data controller and the processor, as well as where data subjects (the consumers the data belongs to) reside and who is ultimately being targeted.
Why Do You Need a Data Processing Agreement?
Data processing agreements are becoming more and more prevalent as both data controllers and data processors look to protect their interests against a tide of privacy laws and assure consumers of ongoing confidentiality. They are also a general requirement under the General Data Protection Regulation in the European Union and the United Kingdom, as well as various data privacy laws and regulations, including California’s CPA, Virginia’s CDPA, Colorado’s CPA, and Connecticut’s DPA.
This type of agreement helps all parties maintain compliance with these international data protection regulations. But even in cases when no regulations apply, they are generally still considered good for business. They are meant to protect data privacy, ensure personal data remains confidential, and reduce the possibility of unauthorized access of user data. They also put in place accountability for data usage, clearly define the roles of each party, and ensure privacy is ultimately maintained.
For processors, data processing agreements outline obligations when it comes to cross-border data transfers; lay out what is expected in terms of data usage, security, and how sub-processors are used; and offer written instructions on what to do if a customer requests the deletion of data or the correction of inaccuracies.
The Risks of Not Having a DPA
Without a data processing agreement in place, data controllers open up the risk of fines. For instance, Yahoo! was fined £250,000 in the UK in 2018 for not having an agreement in place before sharing data with its US counterpart.
But fines are not the only concern. If third-party data providers misuse personal data, they open up potential liability for the controller that collected that data in the first place. Misuse of data can also cause damage to a company’s reputation and erode customer trust altogether.
Key Elements of a DPA
While virtually every business with a data processing agreement should take into consideration the unique needs, specific locations, and applicable laws of the signees in question, there are some key elements to consider, including the following:
General Information
A data processing agreement should include some standard general information, including the data processor and data controller, details on the ways in which personal data will be used, the type of data being processed, and the duration of the data processing agreement. It should also include termination terms and details where data will be stored.
Rights of Data Subjects
Data subjects are the individual users or customers to whom the personal data ultimately belongs. The data processing agreement should outline data subjects’ rights to access or delete their data or correct any inaccuracies, as well as the measures that will be followed in case that data is lost or unlawfully accessed.
Responsibilities of the Data Controller
The responsibilities of the data controller should be clearly laid out throughout the data processing agreement and meet any relevant data protection regulations. For instance, under GDPR, the data controller is the person in charge of processing data and maintaining data subjects’ rights. They must also provide instructions to the processor who is also responsible for processing data.
Responsibilities of the Data Processor
Data processors have their own set of responsibilities that should be laid out within the data processing agreement as well. To achieve GDPR compliance, for instance, processors must maintain information security, report personal data breaches, provide auditing opportunities, and delete or return data at the end of the legal contract. Processors must also cooperate in the case of an inquiry and carry out proper record-keeping for ongoing actions.
Liability and Indemnity
Finally, a DPA will outline the indemnity and liability of the data processor, data controller, and any other parties involved.
DPAs and Global Data Protection Laws
As we have seen already, data protection agreements play a large role in ensuring that companies — and the third-party businesses that they work with — abide by applicable data protection laws to ensure data protection. Data processing agreements offer legal certainty to data controllers that a third-party data processor will use personal data according to all applicable regulations, reducing liability and the risk of fines.
Some of the relevant laws — here and in other countries — that a data processing agreement should consider include:
EU GDPR
The EU General Data Protection Regulation (GDPR) is the data privacy and security law created and passed by the European Union (EU). It is applicable not only to companies within the EU, but also pertains to any business that collects data from or targets consumers within the EU.
The GDPR is focused on protecting personal data, and legally requires a data processing agreement between a controller and third-party processor. If applicable businesses do not have one, they risk paying hefty fines or other potential penalties.
UK GDPR
The United Kingdom has its own GDPR compliance, implemented under the Data Protection Act of 2018. It is almost identical to the EU GDPR but was enacted separately in anticipation of Brexit.
Like the EU GDPR, the UK GDPR requires a written contract between controllers and processors to outline the responsibilities and liabilities assumed by each. A contract between data processors and sub-processors is also required.
CCPA/CPRA
The California Consumer Privacy Act (CCPA) gives California consumers a range of privacy rights. That includes the right to know about personal information collected on them, and how a business uses and shares it. Consumers also have the right to delete personal information collected about them and to opt out of the sale or sharing of personal information.
The CCPA was amended in 2020 to include the California Privacy Rights Act (CPRA), which added the right for data subjects to correct any inaccurate information that a business has about them, and the right to limit the use and disclosure of sensitive personal information.
The CCPA requires that a contract be formed between controllers and data processors in certain circumstances, including when businesses sell or share personal data to a third-party organization, service provider, or contractor. This may be done in a formal data processing agreement through an addendum or as part of the underlying agreement.
VCDPA
The Virginia Consumer Data Protection Act (VCPDA) went into effect on January 1, 2023. It allows subjects to access their consumer data and/or request that it be deleted by the businesses that have it.
The VCDPA requires that a data processing agreement be in place when personal data is sold, when personal data is processed for targeted advertising, when personal data is processed for certain profiling processes, and when data processing activities may heighten the risk of harm to consumers.
CPA
The Colorado Privacy Act (CPA) is another state-specific law that allows customers to opt out of the processing of their customer data for targeted advertising, personal data sales, or profiling. It also gives consumers the right to know that controllers are processing their personal data; allows them to access, correct, or delete their personal data; and permits them to obtain a copy of their personal data.
The CPA requires a data processing agreement in most of the same circumstances as the VCDPA, but with some additional requirements. For instance, under the CPA, controllers can object to a processor’s use of sub-contractors. Parties are also required to implement appropriate technical and organisational measures, such as data security measures, to protect customer data.
CTDPA
The Connecticut Data Privacy Act (CTDPA) took effect on July 1, 2023. It gives consumers the right to access their personal data, correct inaccuracies, delete personal data that has been provided, obtain a portable copy of their personal data, or opt out of certain data processing activities. It also grants controllers 45 days to respond to individual consumer requests.
The CTDPA requires that a data controller conduct and document a data processing agreement for processing activities that heighten the risk of harm to the consumer. That includes the processing of data for targeted advertising, the sale of personal data, the processing of sensitive data, and the processing of personal data for profiling purposes.
Other Global Data Protection Laws
Other applicable data protection laws include Brazil’s general data protection regulation, Lei Geral de Proteção de Dados (LGPD); the United Arab Emirate’s Protection of Personal Data Protection (PDPL); Thailand’s Personal Data Protection Act (PDPA); and South Africa’s Protection of Personal Information Act (POPIA).
Real-World Examples of DPAs
Before preparing a data processing agreement, it may help to get a sense of how other businesses are approaching theirs. With that in mind, here are three examples that demonstrate what a data processing agreement looks like and how businesses implement them.
Hubspot
Like many Software-as-a-Service (SaaS) businesses, Hubspot manages large amounts of user data, collected when individuals interact with their website, use their product and services, and so on. They utilize that data to market their product but also act as a data processor for customers of their subscription service.
Hubspot uses a standard data processing agreement to stay compliant with data protection authorities around the globe. Their DPA outlines the responsibilities of Hubspot’s customers (the data controllers), its own obligations, and how a data subject’s request should be responded to in time. It also addresses sub-data processors, data transfers, and additional provisions that need to be made.
Have a look at Hubspot’s DPA here.
Adobe
Adobe outlines its data policies in its online privacy center and privacy policy page and posts a sample of their EU data processing agreement online. Adobe collects data through cookies and tracks the use of its services and software, transferring data to partners and subsidiaries across borders only as permitted by member state law — including to data processors.
The sample Adobe DPA outlines where, specifically, their data will be processed, the data security measures that will be put in place, and what is to happen if a personal data breach occurs. The responsibilities of the data controller, audit protocols, and expectations around sub-processors and international transfers are also included.
View Adobe’s sample EU DPA here.
LinkedIn uses personal data to personalize content, for research purposes, and to assist recruiters. Their data processing agreement outlines both LinkedIn’s and their customers’ obligations with respect to personal data — and a personal data breach — and protocols related to auditing, data transfers, and data return and deletion. It also includes sections dedicated to controller-to-controller scenarios and third-party data processors.
See LinkedIn’s DPA here.
How to Create a DPA
While there are templates you can draw from (including this one offered by the EU GDPR), both data controllers and data processors will need to make certain that their needs are being met whengenerating and negotiating a data processing agreement. And though there will likely be standard DPA language that you can use as a starting point, each relationship may need its own unique terms and conditions depending on where the location is, what type of data is being processed, how the data will be used, and so on.
With that in mind, here are some steps to follow in order to generate and manage a successful DPA:
Step 1: Identify the Signing Parties
Who is the data controller, and who is the data processor in this agreement?
Step 2: Determine the Purpose of the Agreement
What types of data will be processed, and what will that data be used for?
Step 3: Outline Roles and Responsibilities
What is each party responsible for? The obligations and legal responsibilities of both the data controller and the data processor should be outlined in full.
Step 4: Decide How Long the Agreement Will Last
What is the predetermined time frame of the data processing agreement, and what will happen to the data once that time is up?
Step 5: List the Terms of Ongoing Confidentiality
How will sensitive data be protected by each party during the time frame of the data processing agreement?
Step 6: Negotiate Additional Terms and Conditions
What other terms and conditions do you need to outline to meet the needs of applicable regulations or to fully define the relationship in question?
Step 7: Sign the DPA
Once the data processing agreement is written, it must be signed by both the data controller and the data processor in order to be legally binding.
Step 8: Stay Up to Date
Data processing agreements may also need to be modified or updated as time goes on to address any updates to data protection regulations, new regulations put into effect globally, or changes in the scope of the relationship between the data processor and data controller.
Conclusion
For organizations that collect personal information from their consumers or users — and for the third-party businesses that process that data — data processing agreements are a critical tool in today’s data environment. They provide a framework that ensures personal data is being respected and global data protection regulations are upheld. All with the aim of protecting businesses from fines and possible reputational damage, while offering their users and customers the peace of mind that their privacy is not being overlooked.
Putting an effective and comprehensive DPA in place, then, means understanding the protection regulations that apply and holding all parties accountable for abiding by them. It also means respecting consumers’ right to know how companies plan to handle data. In other words, it requires serving the role of a data protection officer.
With these right measures in place, consumers will feel more comfortable sharing their data, which makes it easier for organizations to do business while maintaining overall customer trust.
Understanding data processing agreements is just the beginning for a legal professional. To truly streamline your contract management process and prevent non-compliance, consider adopting ContractPodAi. Our platform is designed to simplify and automate contract management, and includes analytics software, giving you the time and ability to focus on growing your business. Simply book a demo today and see how ContractPodAi can transform your approach to agreements.