Skip to main content

In today’s digital landscape, data processing agreements (DPAs) are crucial for ensuring that controllers process personal data securely and comply with data protection laws. A comprehensive DPA is essential for any organisation that engages third-party processors to handle personal data. This post explores:

  • what a data processing agreement is;
  • why companies need one;
  • what legal and international standards these agreements must meet; and
  • how to implement such an agreement effectively.

What is a data processing agreement?

A data processing agreement (DPA) is a legally binding document that outlines the responsibilities and obligations of both data controllers and data processors regarding the handling of personal data. It establishes guidelines for data processing activities to ensure compliance with data protection laws and safeguard the privacy of individuals.

Why do companies need a data processing agreement?

Legal compliance

Data protection laws, such as the General Data Protection Regulation (GDPR) in the European Union, require organisations to have a DPA in place when engaging third-party processors. Non-compliance can result in hefty fines and legal penalties. A DPA helps ensure that a company complies with these laws and avoids potential legal issues.

Protecting data subjects

A DPA ensures that personal data is processed securely and in accordance with data protection principles. This helps protect the rights and privacy of individuals whose data is being processed.

Risk management

Engaging third-party processors introduces additional risks related to data handling. A DPA helps identify and mitigate these risks by setting clear expectations and responsibilities for data processing activities.

Building trust

A clear and comprehensive DPA demonstrates an organisation’s commitment to data protection, building trust and confidence among customers, partners, and stakeholders.

What data protection laws require

General Data Protection Regulation (GDPR)

The GDPR is one of the most comprehensive data protection laws globally. It requires organisations to have a DPA that addresses the following key elements:

  • Processing details: The nature, purpose, and duration of the data processing, as well as the types of personal data and categories of data subjects involved.
  • Processor obligations: The data processor’s responsibilities, including confidentiality, data security measures, and sub-processing conditions.
  • Controller obligations: The data controller’s responsibilities, including providing instructions to the processor and ensuring compliance with GDPR.
  • Data subject rights: Provisions to assist the data controller in fulfilling data subject rights requests, such as access, rectification, and erasure.
  • Data breach notification: Requirements for the processor to notify the controller of any data breaches without undue delay.
  • Audit and inspection: The controller’s right to audit and inspect the processor’s data processing activities to ensure compliance.

Other relevant laws

  • California Consumer Privacy Act (CCPA): While the CCPA does not explicitly require DPAs, having one in place helps ensure compliance with the law’s requirements for service providers handling personal data.
  • Personal Data Protection Act (PDPA): Found in several countries like Singapore and Malaysia, these laws regulate the collection, use, disclosure, and care of personal data, often requiring similar contractual safeguards as the GDPR.

International standards

ISO/IEC 27001

The ISO/IEC 27001 standard specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). Compliance with this standard demonstrates that an organisation follows best practices for information security management.

ISO/IEC 27701

ISO/IEC 27701 is an extension of ISO/IEC 27001 and ISO/IEC 27002 for privacy information management. It provides guidelines for managing personally identifiable information (PII) and helps organisations comply with privacy regulations like the GDPR.

Key components of a data processing agreement

Introduction

An overview of the agreement’s purpose and the parties involved (data controller and data processor).

Scope

Defines the data processing activities covered by the agreement, including the nature, purpose, and duration of the processing.

Obligations of the processor

Outlines the responsibilities of the data processor, such as ensuring data confidentiality, implementing security measures, and complying with the controller’s instructions.

Obligations of the controller

Details the responsibilities of the data controller, including providing clear instructions to the processor and ensuring compliance with applicable data protection laws.

Sub-processing

Specifies conditions under which the processor may engage sub-processors and the requirements for doing so.

Data subject rights

Describes how the processor will assist the controller in responding to data subject rights requests, such as access, rectification, and erasure.

Security measures

Details the technical and organisational measures the processor must implement to protect personal data.

Data breach notification

Outlines the processor’s obligation to notify the controller of any data breaches without undue delay.

Audit and inspection rights

Provides the controller with the right to audit and inspect the processor’s data processing activities to ensure compliance with the agreement.

Termination and deletion

Specifies the conditions for terminating the agreement and the requirements for returning or deleting personal data upon termination.

Standard Contractual Clauses (SCCs)

When transferring personal data outside the European Economic Area (EEA), it is crucial to ensure that the data is adequately protected. Standard Contractual Clauses (SCCs) are a set of contractual terms approved by the European Commission to provide adequate safeguards for data transfers to third countries. Including SCCs as an attachment to your DPA helps ensure compliance with GDPR requirements for international data transfers. These clauses outline the obligations of both data exporters and importers to protect personal data during and after the transfer.

Implementing a data processing agreement

Identify data processing activities

Identify all data processing activities that involve third-party processors. Understand the nature, purpose, and scope of these activities.

Draft the agreement

Draft a comprehensive DPA that includes all the key components outlined above. Ensure the agreement aligns with legal requirements and data protection principles.

Engage with processors

Share the DPA with your third-party processors and negotiate terms as necessary. Ensure they understand and agree to their obligations under the agreement.

Implement security measures

Ensure that both the controller and processor implement appropriate technical and organisational measures to protect personal data.

Monitor compliance

Establish a system for monitoring compliance with the DPA. Conduct regular audits and inspections to ensure that processors adhere to the agreed-upon terms.

Update the agreement

Regularly review and update the DPA to reflect changes in laws, regulations, and business practices. Ensure that any changes are communicated to and agreed upon by the processors.

Buy data processing agreement template

Basic DPA

ZAR 3600

Once off
  • Agreement template
  • Drafting notes
  • Customisation notes
  • 20-minute call with a professional policy drafter
  • Review and feedback
  • Implementation guidance
Buy now

Premium DPAMost popular

ZAR 5600

Once off
  • Agreement template
  • Drafting notes
  • Customisation notes
  • 20-minute call with a professional policy drafter
  • Review and feedback
  • Implementation guidance
Buy now

Ultimate DPA

ZAR 12000

Once off
  • Agreement template
  • Drafting notes
  • Customisation notes
  • 20-minute call with a professional contract drafter
  • Review and provide feedback
  • Implementation guidance
Buy now