In this article

Sign up for our newsletter

You can manage your privacy choices or opt-out at any time. For additional information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review the Osano Privacy Policy
Share this article

Data processing agreements (DPAs) are legally binding contracts between a data controller and a data processor, as outlined in the General Data Protection Regulation (GDPR), which governs how to process data. Other data protection laws around the world also have similar contractual requirements in place, but they are not necessarily referred to by the same term or feature the same requirements.

In this post, we're going to take a closer look at the GDPR's data processing agreement to understand more clearly what is a DPA, why it's important, and to whom it applies. We will also dive into the subject of third-party data processing and discuss how this is handled under other data privacy laws in the US. 

What Is a Data Processing Agreement (DPA)?

Under the GDPR, a DPA is a legal contract that must be in place whenever a company that decides to process consumers’ personal information (also known as a data controller) shares or outsources the processing of personal information to another company (or the processor).

The purpose of a DPA is to make sure all parties involved in handling personal data comply with GDPR regulations. To that end, it sets out to define:

  1. What personal data will be processed
  2. Why the data is being processed
  3. How long it will be stored
  4. The security measures needed to protect the data

If you're the organization collecting personal information from EU data subjects, you're responsible for making sure the processor follows GDPR compliance rules. The processor, on the other hand, is responsible for abiding by the requirements of the GDPR, i.e., only processing personal data based on the controller’s written instructions, keeping it secure, and reporting any data breaches. 

For example, you might use an email marketing service like MailChimp, a customer relationship manager like HubSpot, or something like Dropbox to share files. Since your business shares consumer information with them to fulfill a service, all of these third parties are considered data processors. 

The DPA agreement also outlines other important information, such as how data must be returned or deleted after the contract ends, and what the consequences would be in the event of non-compliance. 

Data Processing Compliance in the US

The GDPR has clear DPA rules, but other major data privacy regulations around the world also have their own approaches to data processing and the requirements between collectors and processors. 

In the United States, there are a number of state privacy laws that cover this topic.

For example, the California Consumer Privacy Act (CCPA) has requirements around data processing addenda. Data processing addenda are additional terms businesses must include  in their contracts with service providers, contractors, and third parties before sharing, selling, or disclosing personal information. Note that the CCPA features additional requirements for contracts made with service providers and contractors relative to those made with third parties.

While the CCPA is among the most notable of the US privacy laws requiring a DPA, every other state privacy law also has some sort of requirement around contractual obligations made between the equivalent of a controller and processor.

Why Are DPAs Important for Compliance?

A DPA is an essential piece of the GDPR compliance puzzle, as it establishes the legal and operational safeguards for the handling of personal data whenever a business outsources its data processing, which is almost impossible to avoid these days. A DPA ensures that everyone involved in data handling is held accountable for keeping user data private and secure, thereby enhancing the protection of personal data.

As the controller, you may be accountable for your third-party vendor's compliance, or lack thereof. 

They Help Organizations Avoid Hefty Fines

While some companies might balk at the complexity of GDPR regulations, the price of ignoring regulatory requirements isn't cheap. Organizations that violate the law can be fined up to 4% of their annual global revenue or 20 million euros, whichever is greater. It goes without saying that while compliance can be tricky (GDPR compliance platforms can help with that), the cost of non-compliance is much, much higher.

They Protect Individual Privacy Rights

A well-structured DPA ensures that processors handle personal information in a way that respects people’s rights to privacy. This includes requirements for processors to assist in fulfilling data subject requests, such as accessing or deleting their information, or restricting or correcting data processing.

They Strengthen an Organization's Security Posture

The GDPR requires processors to implement strong security measures to protect personal information, and a DPA adds an extra layer of accountability to that. Examples of security measures include encryption, access controls, and audits, also known as data protection impact assessments

It also requires processors to immediately report breaches to controllers, which helps companies react quickly to security incidents.

They Help Manage International Data Transfers

The GDPR restricts data transfers outside the EU unless proper safeguards are in place, such as through standard contractual clauses, or SCCs. Both a DPA and an SCC ensure that processors located in other countries follow equivalent data protection standards to reduce legal risk and strengthen privacy. 

It’s important for a controller to have both a DPA and SCC signed by a non-EU processor because it ensures legal compliance, data security, and risk protection when transferring and processing personal data outside the European Union.

They Maintain Business Trust & Transparency

Any company that demonstrates its compliance with privacy laws will foster trust from its data subjects. Clients and partners are more likely to work with companies that have clear, well-defined data protection agreements in place.

When Do I Need to Sign a Data Processing Agreement?

Not every organization that collects consumer data from EU citizens needs to sign a DPA, but as most businesses share their data with third-party data processors (email, web analytics software, etc.), it's safe to assume that you will need a DPA to carry out marketing and operational tasks. If you're not sure when a data processing agreement is required, check with your legal team.

Key Elements of a DPA

What do you need to create a DPA? The GDPR outlines what is necessary to include in any data processing agreement, and data protection authorities also provide free DPA templates to organizations.

DDoes your business plan to create its own legal document to cover data processing activities? Here are the essential topics that need to be outlined for the processor:

  • The processor must commit to processing personal data exclusively based on the controller’s written instructions.
  • All individuals who have access to the data are bound by confidentiality.
  • The processor needs to take measures (technical and organizational) to maintain data integrity and security.
  • The processor may only hire a sub-processor with prior written authorization from the controller and with a separate and signed DPA.
  • The processor shall assist the controller in fulfilling its obligations under the GDPR, particularly in relation to data subjects' rights (e.g., access, rectification, erasure, and portability requests).
  • The processor has to maintain GDPR compliance.
  • When the services are terminated, the processor has to either delete all personal data or return it to the data controller, unless there's a legal basis to keep it for applicable data processing purposes.
  • The processor has to give the controller the right to audit its data processing practices and provide any necessary documentation to demonstrate compliance with GDPR.

If you're not sure what else your DPA should include, you can download the free six-page template from the official regulation site.

Note, however, that any contractual language should be reviewed by your legal counsel.

How Osano Can Help Controllers with GDPR Compliance

Osano's platform helps companies with vendor data processing agreements by providing automated, compliant templates that simplify the legal process. Our platform ensures that DPAs include essential clauses like security measures and breach notifications to minimize the legal complexity for businesses handling personal data.

Osano's intelligent platform also helps businesses continuously assess third-party compliance with its vendor privacy risk management feature. This includes a vendor risk score that helps you identify trustworthy, low-risk vendor candidates at a glance. We also provide on-going vendor monitoring and alert you to changes in privacy policies, lawsuits, or data breaches among your vendor portfolio.

Organizations trust Osano to help them maintain their audit-readiness and compliance with evolving regulations. If you’re looking to streamline privacy obligations while minimizing legal risk, Osano provides an efficient and proactive solution.
Schedule a demo of Osano today

The Big Data Privacy Bundle

Looking for templates, official guidance, checklists, and other resources to jumpstart your privacy management efforts? Check out our bundle of 50 free data privacy resources.

Download Now
Data Privacy Bundle Resource Listing Image 1

Osano Staff

Osano Staff

Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.

Share this article