Data Processing Agreement 101: What is DPA?

2018 hit us with some shocking news. It started in February with a curious finding by Kromtech Security that the personal information of 199,000 FedEx clients was stored on a non-secure AWS server. Then, a subsidiary of Expedia, Orbitz, mentioned in March that a hacker used a legacy website to collect personal information, including credit card data, of 880,000 customers.

The biggest scandal, however, happened when Mark Zuckerberg began a 2-day marathon, answering 600 questions in front of the senate. He was invited to that marathon after announcing that the personal information of 90 million Facebook users was compromised due to just one line of code.

These and many other data breach events called for a revolution in the data privacy sector. This revolution started with the General Data Protection Regulation (GDPR). This regulation has affected all businesses that handle data of any EU citizen.

GDPR made every country-member of the EU and countries that process data of EU citizens take precautions to ensure that the personal data of their citizens is well protected. The data processing agreement (DPA) became a major player in ensuring compliance with GDPR between data processors and data controllers.

But what is data processing agreement, and how does it help keep your personal data protected? Who are data controllers and processors and how to know if your business has to sign a DPA contract?

You will find all the answers you need to draft the pitch-perfect DPA in our new blog.

What is DPA and why is it important?

Today, data is one of the most valuable assets that a company can operate with. The DPA ensures that security measures and data processing activities are compliant with GDPR policy, and that data providers are able to prevent any potential abuse or breach of data.

The EU data protection law states that any company can process the personal data of every citizen only if they sign a legally binding contract that regulates data processing. That contract is the DPA’?Data Processing Agreement. 

Personal data of every citizen can only be processed by any party if they sign a legally binding contract that regulates data processing.

A data processing agreement is signed either electronically, or in written form, and regulates the purpose and scope of processing personal data. Personal data is any information that can help identify a person: first and last name, date of birth, residence, username, email, etc.

This DPA contract will act as a proof that the service provider can securely process the personal data, prevent any incidents, and is compliant with every applicable law of data protection.

When is data processing agreement required?

In the era of digital transformation it is near impossible to operate a business without exchanging and processing information with others. Any company that operates in, but not limited to, the following areas, will have to sign a DPA to handle EU citizen’s data:

  • Cloud storage
  • Website analytics
  • Contract lifecycle management
  • Marketing services
  • CRM
  • Financial Services
  • Marketing agencies
  • Software outsource companies
  • SaaS companies

There are no legal restrictions from the GDPR regarding the structure of the data processing agreement. But if the data processor is located outside the EU, and personal data is transferred internationally, there are certain specifics to the format of documentation, such as corporate binding rules, standard contractual clauses, etc. We’ll go through them further down the article.

Do I need to sign a data processing agreement?

Pretty much anyone who is involved in the exchange of personal data with third parties should have a DPA contract signed. Now let’s have a more detailed look at the roles and responsibilities:


A data controller or a data exporter is a company that owns the data. They are the ones that hire a data processor and provide them with access to the data.

When your company hires an outsource accounting firm to manage your payroll, you provide them with employee names, positions, days of sick leave, wage, etc. Your company acts as the data controller in this case.

It is up to data controller to determine:

  • The purpose of data collection
  • How the data will be processed

Depending on the data subjects or special categories of data, it can be processed in different ways, and it is up to the controller to outline each of them.


A data processor or a data importer is a third party processing the data for the controller, a service provider.

That outsource accounting firm that is managing the payroll for your company receives all the required information from the controller. But  the accounting firm can only use the provided data to calculate the payroll. This accounting firm is the data processor.

The data processor’s actions with data are limited by the actions stated in the DPA by the data controller. When the data processing agreement expires, the data processor is obligated to either delete the data or return it to the controller.


A data sub-processor is the third-party with whom the data is shared by the data processor. 

If an accounting firm is out of accountants to manage your company’s payroll, they will have to outsource an accountant to take care of the part of the job. The outsourced accountant will be dealing with your company’s data on behalf of the accounting firm. This outsourced accountant is the sub-processor.

The processor and sub-processor will have to sign a DPA between them. Data processor can only share the data with the sub-processor with the prior consent of the data controller.

Joint Controller

GDPR defines joint controllers as ‘two or more controllers jointly determining the purposes and means of processing’?. 

For example, your company rents vacation homes and signs a contract with a car rental company to add a value-added proposition to your clients. Now they can rent a car along with a vacation home. Both companies will be exchanging client information and using the same platform to sell their services. They are called joint controllers.

Joint controllers each remain responsible for their obligations, but are not required to have a contract between them. All they need is an agreement that outlines their roles and responsibilities and can be available to data subjects.

What are the data processing agreement requirements?

There is no definite structure of the data processing agreement template, as separate clauses may vary by industry. 

All information on how to draft a data processing agreement template can be found in GDPR Articles 28 through 36, but it’s a very extensive read. That’s where document automation software for law firms really helps’?after your legal operations feed the document automation software with relevant templates, it will take your lawyers no time to draft a perfect data processing agreement  and adjust it to their current case or client.

There is no definite structure of the data processing agreement template, as separate clauses may vary by industry.

Below are the clauses deemed most important by the GDPR to include in your data processing agreement:

Processing details

Every DPA must include the following:

  • Which data is being processed
  • How long will the data processor have access to the data
  • Purpose and type of processing
  • Categories of data subject and types of personal data
  • Legal basis and purpose behind processing of personal data
  • Rights and responsibilities of the controller and the processor

Your legal operations can also determine what the data subject is able to do with their information. For example, you provide your client’s data to the processor, and say that your client can remove, delete, edit, or retrieve their personal data from the processor’s database.

Acting in accordance with the instructions

It must be mentioned that the processor can only manage the data based on the instructions of the controller. Instructions can be written in any form or manner, including an email, and have to be reproducible.

The data processor can only act against the instructions if required to do so by the EU or member state law. For example, a data processor has to share personal data with the court that has issued an order to provide the necessary information.

If a processor acts in a way that is not described in the instructions from the controller, they decide the means of data processing. That makes them a controller in this action, and they will have corresponding liabilities. 

Let’s say, the accounting firm shares your company’s data with an outsource accountant without your consent. In this case, the accounting firm becomes the data controller, and the outsourced accountant is the data processor.

Personal data confidentiality

The processor must be committed to protecting confidentiality of the entrusted data. This contract term should cover every processor’s employee that can access personal data, including third party and temporary employees.

Ensuring the adequate security measures, technical and organizational

The processor has to take all security measures to ensure the protection of personal data.

It is up to both the controller and the processor to have technical and organizational measures in place:

  • Data encryption
  • Resilience and integrity of processing systems
  • Ability to restore data in case of an accident
  • Regular test of the effectiveness of undertaken measures

Having a code of conduct and certifications, such as SOC-2, can help you demonstrate that your security measures are sufficient to be compliant with the GDPR.

Using Sub-processors

It must me stated in the agreement that:

  • The processor has no right to engage with a sub-processor without the controllers prior consent
  • When employing a sub-processor under a general authorization, a processor should make the controller aware of any changes and allow the controller to object to them.
  • A contract should be put in place between a processor and sub-processor, outlining the obligations
  • The processor takes all liability for the sub-processor to the controller.

Basically, a processor should sign another data processing agreement with a sub-processor and indicate the controller as the main provider of the data.

Resolving subject access requests

The processor should be able to take measures, both technical and organizational, to assist the controller  in managing data subject’s requests to take actions with their personal data.

Rights and privacy of data subjects

The processor must be able to help the controller to meet obligations in the following areas:

  • Personal data security
  • Notifying authorities of the potential breaches
  • Notifying data subjects of the breaches
  • Carrying out DPIAs (data protection impact assessments)
  • Consulting with authorities when, according to a DPIA, the risk is too high and cannot be mitigated

Ways of assisting the controller to meet their security obligations must be made very clear in the agreement.

Duration of processing

Upon the expiration of the contract, the processor has to:

  • Return or erase all the personal data that they have processed. It is up to the controller to decide which one.
  • Erase all existing copies of the data unless required otherwise by the EU or member state law.
  • Ensure that all data is erased in accordance with the security requirements

These terms are required to be sure that personal data is protected even after the agreement expires.

Audits and compliance

GDPR require the DPA agreement to include the following:

  • Processor must provide the controller with a proof that all obligations of Article 28 are met
  • Processor must allow and contribute to any audits carried out by the controller or an auditor that has been appointed by the controller

A good way for the processor to demonstrate compliance with Article 28 is to store records of any activities related to personal data processing, and being able to provide them for inspection upon request.

Exceptions for data processing agreement

Naturally, you don’t have to sign a DPA every time you engage with third-party services. Below are 5 cases that don’t need a DPA, because data protection compliance is already granted without the need for any additional contracts:

  • Engaging with professional groups bounded by confidentiality. This includes lawyers, tax consultants, and auditors that work with personal information.
  • Debt collection agencies with assignment of debt.
  • Providers of matching services, such as recruiters.
  • Clinical studies
  • Large groups of companies under one management


Data is one of the most important aspects of business operations. Marketing campaigns, studies, researches, reports, and sales all depend on how much data can be gathered and analyzed.

A data processing agreement template must be set in place in order to protect your customers’ personal data from being compromised. It will also ensure that any third party services that you engage with won’t put you in a situation where you are held responsible for mishandling information provided to you by your clients.

After all, the amount of fine is 4% of the company’s annual revenue.

Despite the complexity of clauses, a DPA is a simple contract that has to be processed on a regular basis. Legal departments can sometimes deal with lots of such agreements every month. 

To help them take care of routine contracts with zero effort, we have created AXDRAFT QuickDocs, a fully automated solution that gives your clients full control of turning out 100% compliant data processing agreements by filling out a small questionnaire on a public-facing template.

If you would like to learn more about other contracts, visit our other Contracts 101 posts that cover the fundamentals of non disclosure agreement, master service agreement, and a statement of work.
Want to see AXDRAFT document automation magic in action? Try our instant demo and get a ready-to-use NDA drafted in 57 seconds!


What is a GDPR data processing agreement?

A DPA is a legally binding document that ensures that data processing activities and security measures comply with the GDPR policy. It also makes sure that data providers can prevent any potential abuse or breach of data.

What should a data processing agreement include?

A data processing agreement should include the information stated in GDPR Articles 28 through 36. In short, these are:
– Data and processing details,
– Protection of personal data,
– Security measures to comply with the GDPR,
– Actions when employing a sub-processor,
– Resolving subject access requests,
– Rights and privacy of data subjects,
– Duration of processing,
– Audits and compliance.

It must also mention that the processor can only operate the data under the controller’s instructions.

Do you need a data processing agreement?

Suppose your organization handles EU citizens’ personal data and exchanges it with other businesses. In that case, you must have a data processing agreement in place, no matter whether you act as a controller, processor, sub-processor, or joint controller. It’s a key component of GDPR compliance.

What is the purpose of a data processing agreement?

A DPA lays out technical and organizational requirements for the controller and processor to ensure that data processing activities and security measures comply with the GDPR policy. It regulates how data should be stored, protected, processed, accessed, and used. It also states what contractors can and cannot do with the data.

Who is responsible for the data processing agreement?

A company that owns the data (a data controller) must determine how personal data will be used and outline the responsibilities of each party. Signing a DPA guarantees that both controller and processor protect personal data following the GDPR rules.

Using document automation software like AXDRAFT can take that burden off your shoulders. Once your legal operations feed the program with relevant templates, drafting a perfect DPA and tailoring it to a specific case or a client will be a matter of minutes.

What is the difference between a data-sharing agreement and a data-processing agreement?

A data processing agreement is a must when a data controller (data owner) exchanges personal data with a data processor or its sub-processors. A data-sharing agreement is signed if you, as a controller, share personal information with one or several joint controllers and you decide on the purpose and means of data processing together. This agreement regulates what data is being shared and how it can be used.

Stay in touch!
Subscribe to our newsletters

Leave a comment