Back to blog

What Is a Data Processing Agreement and How Does It Apply to GDPR?

When you’re the legal counsel of a scaling company, every new process and operation needs to be set up ― and this requires legal documents. You need to ensure there’s a legal basis for risk management, business decisions, and compliance monitoring.

A data processing agreement is a critical legal basis for compliance with data privacy laws like GDPR (General Data Protection Regulation). It’s an EU policy that requires companies to take extra precautions when collecting and processing personal data. That’s whether you’re doing business on their land or just with EU citizens. 

Failing to comply can result in heavy fines. Here are a few of the most severe GDPR penalties.

  • Amazon was fined $877 million for its cookie consent practices
  • WhatsApp paid a fine amounting to $255 million for questionable data processing practices
  • Marriott hotel chain was issued a fine of $23.8 million following a hacking incident that compromised guest records for 30 million EU residents

Quite a shocker, right?

So in this article, we’ll explain what a DPA is. That also covers the contract elements it should have for absolute GDPR adherence. In the end, we’ll present you with an automated DPA template you can use to draft and execute more effectively.

What is a data processing agreement?

A data processing agreement is a legally binding contract between a company and a service provider (also called the data processor) that specifies how data will be managed. Usually, the company is the data collector who determines the purpose and means of processing the data.

Since it’s also called GDPR DPA, this is all about protecting personal data. So let us first define what the law describes as personal data ― anything related to an individual that makes it possible to identify them directly or indirectly. 

Here are a few examples of personal data:

  • names
  • physical or email address
  • photos
  • credit card or employee identification number
  • bank details
  • IP addresses
  • medical information
  • records of working hours

As per GDPR, the data processor only works on the data according to the controller’s instructions. However, both parties have a duty to protect them from loss, destruction, alteration, or unauthorized access. This document outlines the specific tasks that they will be responsible for along with the liability of the offending party.

By signing a DPA contract, both parties are agreeing to abide by the terms set forth. A perfect example would be when a website is using a third-party analytics service to track user behavior.

The purpose of a DPA

A DPA helps ensure that personal data is processed in a manner that is compliant with data protection laws such as GDPR. Article 28 specifies that when data may be processed, data controllers should only engage with processors who offer enough security and can protect the data subject’s rights.

So under legal frameworks, a DPA contract is required to lawfully transfer personal data to a third-party processor. So here’s what the agreement makes clear:

  • the specific purposes for which the data will be used
  • the security measures in place to protect the data
  • the rights and responsibilities of both parties (data controller and data processor)

When do I need a DPA?

Parties agree to share data by signing a data processing agreement. DPAs are needed by companies using third-party service providers for the processing of their data behalf.

With respect to GDPR, any time you collect or process data from individuals in the European Union, you need to have a DPA set up. One of its key provisions is the need to get explicit consent from individuals before collecting, storing, or sharing their personal data.

Here are some situations where data controllers use data processors thus needing a GDPR DPA.

  • Transferring data from the European Union to another country
  • Collecting data through online forms
  • Getting information from website cookies
  • Collecting contact information or purchase history
  • Using customer data for marketing purposes like email lists and targeted ads
  • Handling medical records
  • Working with sensitive data, such as credit card numbers or health information.
  • Data processors using sub-processors

So if you’re going to create a DPA, please use the following as your data processing agreement checklist. Ensure that you’re including the essential elements of the document.

What should a data processing agreement contain?

In general, a DPA sets out the roles and responsibilities of both parties involved and the protections in place for the personal data being processed.

 The following is what every GDPR-compliant DPA should contain:

  1. A clear description of the personal data being processed and its nature
  2. A clause that defines the purpose of data processing
  3. The obligations of the data controller and data processor. Let’s define each of their responsibility:
  • The data controller is responsible for enforcing the data processing agreement. This includes ensuring that the personal data is processed in line with the contract and that the rights of the data subjects are respected

Among his responsibilities include:

  • assuring the data processor has the necessary security measures in place
  • ensure that any sub-processors used by the data processor are compliant with the terms of the data processing agreement
  • notify the data processor of any changes to the personal data or processing activities that could impact the security of the data.
  • Responsibilities of the processor tend to be longer since instructions from the controller must be detailed and specific.

The following are his main duties:

  • implement technical and organizational measures to protect the personal data against unauthorized processing, accidental loss, destruction, or misuse
  • maintain the confidentiality that covers the removal of all copies of the personal data at the request of the controller (unless required by law to retain them)
  • aid the Controller in complying with its obligations under applicable data protection law, including its obligations to respond to requests from individuals for access to their personal data
  • notify the controller if it becomes aware of any unlawful processing of the personal data
  • use of compliant sub-processors
  • allow regular assessment and audits from the data controller
  1. A provision specifying which law will govern the agreement.
  2. An indemnity clause that protects the data processor from liability in case of a data breach.
  3. A clause specifying how long the agreement will remain in effect including the personal data’s retention or disposal.

We’ll now start to create our DPA.

How do you create a data processing agreement?

Let’s get our facts straight ― a DPA isn’t a legal requirement in allcases. Take matching service providers, for example, they actually share personal data.

However, it’s advisable to have such a contract in place. Thus, it becomes a requirement if your business is subject to EU GDPR.

So let us guide you in creating a DPA contract. Drafting DPA from a template can happen in three ways:

  • You have your own template that you adjust for each case. Are you using MS Word?  There’s a reason it’s not enough for your legal team.
  • You try searching for a DPA template online.
  • Or you can try an automated DPA template prepared by Avokaado’s partner law firm LexRatio

Here’s what’s great about it. In this Avokaado DPA template, you’ll find the following sections:

  • Definitions (terms and expressions)
  • General provisions
  • Data processor’s obligations
  • Security of processing
  • Integrity and traceability of data
  • Transfer of data
  • Subprocessing clause
  • Data controller’s obligations
  • Liability/Indemnification clause
  • Intellectual property rights
  • Duration and termination

That’s basically what you need in a GDPR data processing agreement.

Data Processing Agreement Template

Should you decide to try Avokaado’s DPA template, here’s how you can use it:

  1. Start a document from the data processing agreement template. You can also browse the Avokaado store of automated templates for your different cases.
  2. On the left side of the screen, you’ll see a pre-generated questionnaire that you can fill up with the specific details of your contract. Answering the questions, you can see the contract changes you made in real-time.

  • Click “Next” and name your document before saving it. For your reference, all saved documents are stored in a central repository that makes them accessible 24/7 and up-to-date.
  • It’s now your choice:
      • You can keep working on the document with your collaborators. Avokaado will let you set up automated contract workflows that can speed up executing the agreement.
      • Or download the saved document. The document generation software can produce it in .docx or .pdf format.

    Start drafting your DPA right away

    Having a DPA is a smart decision. For one, it’s a major component of you doing your part to comply with the GDPR all while helping to show that you take data protection seriously. It also gives you a clear understanding of your respective roles and responsibilities when it comes to data processing.

    By drafting DPAs using a template, you can improve accuracy and consistency while also freeing up time for your team to focus on other aspects of the deal.

    If you’re looking for a more efficient way to create DPAs to execute them, we recommend trying out our modern CLM software Avokaado. We offer a free trial so you can explore all the features and see how they could benefit your business.

    Try modern Avokaado CLM for free for 7 days.


Recent posts

What Is CLM Software and How Can It Help HR Managers?
28 April 2023
Employee Data Management: The Risks and Consequences of Poor Management of Employee Data
21 April 2023
Streamline Recruiting With HR Business Process Optimization
27 March 2023

Subscribe to Newsletter

Successfully subscribed!

Now you can stay up-to-date with legal news.

Avokaado Newsletter

Stay updated on Legal Tech with our weekly newsletter
* Invalid e-mail


We sent confirmation information to your e-mail address