What is a Data Processing Agreement (DPA), and do you need it?

What is a data processingagreement (DPA)

...Læs på dansk her 🇩🇰


In EU, mentioning data processing inevitably brings GDPR to mind; these two are closely intertwined in today's digital landscape. Data processing encompasses everything from collection and storage to analysis and transmission, among other things.

The GDPR regulation aims to address this by establishing legal frameworks that ensure the protection of privacy and personal data for individuals in the EU/EEA. It sets strict guidelines for how data should be handled in connection to data processing, while still emphasising transparency, security, and accountability.

As many companies engage in business together, situations may arise where there is a need to transfer and process data. In such cases, it is important to establish a data processing agreement (also known as a 'DPA') to ensure that the rights of data subjects remain protected and that a high level of security is maintained in accordance with GDPR.

As a company in the EU/EEA, it is therefore essential to be aware of the rules regarding this matter, as failure to comply could result in significant fines and/or reputational damage. This article will provide a comprehensive insight into GDPR and data processing, as well as when and how to enter into a data processing agreement.

See our DPA Service - supervision of data processors made easy

What does GDPR mean?

The General Data Protection Regulation (GDPR) was established by the European Union to address the protection of privacy and personal data for EU/EEA citizens. It serves as a legal framework that sets guidelines for how companies and organisations may collect, process, store, and transfer personal data.

This is aimed at giving data subjects greater control over their personal information. Additionally, it also aims to demand more from companies/organisations, as they are required to implement measures to ensure confidentiality, integrity and availability in handling data (the CIA-triad). Finally, GDPR imposes significant sanctions for non-compliance, including hefty fines, making it crucial to adhere to the provisions of GDPR and thereby become compliant.

For further insight, read also: Everything you need to know about GDPR and how to implement GDPR in 10 easy steps

What does data processing mean?

Data processing, as mentioned, involves the collection and use of data that becomes meaningful information or insight, which may be linked to individuals. Processing therefore encompasses several activities, including collection, recording, storage, use, transmission, deletion, or any other use of collected data. If such processing occurs, the specific requirements of GDPR must be respected and integrated. It is therefore crucial to understand when there is processing taking place and what obligations this entails.

What is a data processing agreement (DPA)?

A data processing agreement is a legally binding contract between a data controller and a data processor. The data controller is the person/company/authority/other organisation determining the purpose of the processing and the means used. The data processor, on the other hand, is the person/company/authority/other organisation processing personal data on behalf of the data controller.

In this regard, GDPR requires a data processing agreement to establish the terms and conditions under which data may be processed by the data processor on behalf of the data controller. The data processing agreement specifies the responsibilities, obligations, and rights of both the data controller and the data processor. This may include topics such as security measures, procedures (e.g., for reporting data breaches), and compliance with GDPR requirements.

The data processing agreement thus defines the relationship between the two parties to ultimately ensure compliance with GDPR and protection of the rights of data subjects.

What is the purpose of having a DPA?

In short, having a data processing agreement is essential for compliance with data protection regulations. The agreement clarifies the roles, responsibilities, and obligations of each party involved in data processing.

This clarity is crucial because the requirements for a data controller differ from those for a data processor. It's important to establish responsibility to avoid ambiguity about who is accountable for fulfilling various obligations. Without clear delineation, there's a risk of no party assuming responsibility or one party taking on responsibility they don't actually have.

Furthermore, as a data controller, it's essential to safeguard oneself and the collected personal data. This means ensuring that a data processor handles the information with the same level of care as the data controller would. Therefore, it's vital to have a data processing agreement in place before any data processing occurs.

Related article: What is the difference between Information Security & Cybersecurity?

When do I need a DPA?

All data controllers processing personal data from EU/EEA citizens are obligated to have a data processing agreement in place when collaborating with a data processor - and vice versa. This is a mandatory requirement for both parties. The exception is only when it is clear that there is no 'data controller-data processor' structure involving personal data.

Regardless, it is necessary to enter into a data processing agreement if personal data is disclosed to a party acting as a data processor. Such an agreement not only ensures compliance with GDPR but also greatly protects the rights of data subjects and promotes trust and transparency.

Read more: Checklist of Documents Required by EU GDPR

What are the components of a DPA?

Blogpost15What should be included in a data processing agreement? First and foremost, it is a requirement that the data processing agreement is in writing and can be presented electronically. This is to ensure that the agreed terms can be documented for inspection or audit purposes, among others. The agreement should contain information about the data processing, including duration and purpose.

What should be included in a data processing agreement?

This is not a complete list, but it gives a good overview of the components that a data processing agreement should have:

  • Information about the subject matter of processing: An explanation of the instructions given from the data controller to the data processor regarding the processing of data.

  • Nature of the processing: A description of how data is processed, including whether it will be collected, stored, processed, disclosed, or deleted.

  • Purpose of the processing: An indication of the specific purposes of the processing, including contractual obligations, service administration, marketing activities, etc.

  • Duration of processing: Specification of the duration of the processing.

  • Type of personal data: A precise and comprehensive description of the data being processed, including type, source, and category. This could include contact information or health data.

  • Obligations and rights as a data controller: Specification of the legal obligations and rights of a data controller under data protection legislation, including ensuring fair and lawful processing of data and protecting the rights of data subjects.

  • Obligations and rights as a data processor: Specification of the legal obligations and rights of a data processor under data protection legislation, including only processing data according to instructions from the data controller and maintaining appropriate security measures and reporting any security breaches.

If you're still unsure about what a data processing agreement should include, you can draw inspiration from the template provided by the Data Protection Agency, which is available on their website.

Audits of data processors

It is important to conduct ongoing audits of data processors to ensure that the data processing continues to be secure for the registered individuals. By regularly inspecting the company's relevant data processors and how they manage and secure data, potential risks and vulnerabilities can be identified. This is usually done with an emphasis on their procedures and security measures to ensure that they do not compromise confidentiality, integrity and availability (the CIA-triad). Furthermore, these audits ensure that data processors comply with applicable laws and contractual obligations stipulated in the data processing agreement between the data controller and the data processor. Integrating regular audits into the company’s annual wheel is generally advisable in order to ensure continous executions of audits.

How to ensure proper data processing and supervision of data processor

Audits of data processors thus afford the data controller the opportunity to be proactive in addressing potential issues before they escalate into major security breaches or outright violations. This ensures the safety of both the data controller and the registered individuals.

What are the potential consequences for those who fail to comply with GDPR regulations?

Non-compliance with GDPR can have significant consequences. For instance, it may result in substantial fines imposed by data protection authorities, which can amount to several million euros or a percentage of the company's global annual turnover – whichever is higher. Non-compliance can also lead to reputational damage, loss of trust, and/or legal disputes from data subjects or others. Additionally, enforcement orders to cease non-compliant processing may be issued, affecting the company's ability to conduct business.

What does Governance, Risk and Compliance mean?

This could result in financial sanctions for the company; furthermore, it could hinder the company's operations, disrupt partnerships, and potentially limit growth opportunities. Consequently, there are many reasons why a company should prioritise being or becoming compliant with GDPR – both for the benefit of the data subjects and for the company itself.

How can .legal help you auditing your data processors?

Dpa proces eng

.legal offers several legal tech products, one of which is the DPA Service tool, making it easy to conduct audits of data processors and thereby evaluate them. This framework provides the company with an ISMS to conduct effective audits of the data processors handling data on its behalf, thereby ensuring a high level of data security.

The process is structured and optimised to facilitate the audit, where the company simply lists the relevant data processors to .legal. .legal then manages the entire evaluation process, ensuring that data processors respond promptly, while the company can monitor the process continuously.

The results are presented in a comprehensive, automated report based on the data processors' responses, providing the company with a thorough insight into the level of compliance among their data processors, allowing the company to take action on whether they need to demand further compliance measures from their data processors. This ensures reliable and secure auditing of data processors, while streamlining the process by letting .legal and its employees oversee the evaluation process to completion.

Read more:
DPA Service from .legal
How To Achieve GDPR Compliance When Using Cloud Storage & Cloud Services


Is a DPA mandatory?

Yes, it is mandatory to enter into a data processing agreement according to GDPR when a data controller engages a data processor to perform tasks on their behalf involving the processing of personal data. A data processing agreement regulates the applicable terms, conditions, and obligations between the data controller and the data processor regarding data processing activities.

The purpose of this is to adhere to data protection laws and safeguard the interests of data subjects. Failure to enter into a data processing agreement when required by GDPR can result in sanctions, injunctions, or public shaming for non-compliance.

You may want to read about 10 features to look for in GDPR compliance software in 2024

How often should DPAs be reviewed or updated?

The frequency at which a data processing agreement should be reviewed or updated depends on various factors. This could include changes in processing activities, legislation, or the business relationship between the parties involved.

Generally, a data processing agreement should be reviewed regularly – whenever necessary – to ensure continued compliance with applicable regulations and to ensure that the agreement reflects the current situation and practices of the company.

What to do about my data processor’s data processor?

According to GDPR, it is a requirement that a data controller has a data processing agreement with all companies to which they share data – meaning that the data controller must have a data processing agreement with all data processors. If one or more of the data processors engage additional companies to handle the same data – known as 'sub-processors' – this typically needs to be coordinated with the data controller, as the sub-processors are now also processing the data controller's data and therefore must be subject to the same obligations as the data processor. This ensures that the same standard of data protection is applied throughout the supply chain, encompassing all parties processing personal data.

Need help with your other GDPR compliance tasks? Try .legal's legal tech tool, Privacy - it's completely free!

You can read more about all the features, prices and plans here.

You may like:
Risk assess your processing activities
Document where you process personal data

+230 large and small companies use .legal