What is a data processing agreement?

A data processing agreement (DPA) is a legal contract established between two parties, typically a data controller (such as a company or organization collecting personal data through web forms) and a data processor (such as a third-party service provider handling the processing of that data). The agreement outlines the terms and conditions governing the processing of personal data, including its collection, use, storage, and security measures.

Who needs a data processing agreement?

• Data Controllers: Businesses or organizations that determine the purpose and means of personal data processing typically act as data controllers. They have a legal obligation to ensure the data is processed lawfully and securely. A DPA helps them fulfill this obligation by clearly defining expectations with data processors.
• Data Processors: Any third-party company that processes personal data on behalf of a data controller is considered a data processor. This could include cloud storage providers, marketing automation platforms, or customer relationship management (CRM) software companies. A DPA protects data processors by clarifying their specific tasks and limitations regarding data handling.

In essence, any organization involved in the processing of personal data, either as a controller or processor, should have a DPA in place to ensure compliance with data protection regulations and mitigate risk.

Key elements:

Scope of processing: Clearly defining the purpose and scope of the data processing activities covered by the agreement.

Data protection measures: Specifying the security measures and safeguards implemented to protect the confidentiality, integrity, and availability of personal data.

Data transfers: Addressing any cross-border transfers of personal data and ensuring compliance with relevant data protection laws and regulations.

Confidentiality obligations: Outlining obligations regarding the confidentiality and non-disclosure of personal data by the data processor.

Subprocessing: Detailing any subcontracting arrangements or engagements of sub-processors by the data processor, with appropriate safeguards in place.

Data subject rights: Clarifying the responsibilities of the data processor in assisting the data controller in responding to data subject requests, such as access, rectification, or deletion of personal data.

Data breach notification: Establishing procedures for reporting and handling data breaches, including notification obligations to the data controller and relevant authorities.

Duration and termination: Specifying the duration of the agreement and conditions for termination or renewal.

Liability and indemnification: Allocating responsibilities and liabilities between the parties in case of non-compliance with the agreement or data protection laws.

Compliance with laws: Ensuring compliance with applicable data protection laws, regulations, and industry standards.

Data processing agreements are essential for establishing clear legal obligations and responsibilities between parties involved in the processing of personal data, helping to ensure transparency, accountability, and compliance with data protection regulations such as the GDPR (General Data Protection Regulation).

Download the FormAssembly DPA here.