Skip links

Term: Data Processing Addendum (DPA)

A data processing addendum (also known as a data processing agreement) is a legally binding contract that establishes the roles and responsibilities of both parties and sets out the terms under which personal data will be processed.

DPA under The General Data Protection Regulation (The GDPR)

The GDPR requires organizations subject to it to have a written data processing agreement with all of their data processors.

The GDPR applies to organizations based in the European Union, regardless of whether their data are stored or used outside the EU, as stated in Article 3.1. The law can also be applied to organizations outside the EU if two conditions are met: either the organization offers goods or services to European citizens or the organization monitors their online behavior.

When do I need a DPA?

In order to ensure compliance with GDPR, you need to have a data processing agreement with each of these services. You must have an agreement in place with third parties to process personal data, whether it’s messaging software, cloud storage, or website analytics software. 

Even if you are not subject to the GDPR according to the information given above, there are additional laws and regulations that require service providers to have agreements in place, such as: UK, Brazil, Several US states, Dubai, Thailand, South Africa and more. 

What should be Included in a DPA?

In summary, here’s what you need to include in your DPA based on GDPR Article 28, Section 3:

  • The processor agrees to process personal data only on written instructions of the controller.
  • Everyone who comes into contact with the data is sworn to confidentiality.
  • All appropriate technical and organizational measures are used to protect the security of the data.
  • The processor will not subcontract to another processor unless instructed to do so in writing by the controller, in which case another DPA will need to be signed with the sub-processor (pursuant to Sections 2 and 4 of Article 28).
  • The processor will help the controller uphold their obligations under the GDPR, particularly concerning data subjects’ rights.
  • The processor will help the controller maintain GDPR compliance with regard to Article 32 (security of processing) and Article 36 (consulting with the data protection authority before undertaking high-risk processing).
  • The processor agrees to delete all personal data upon the termination of services or return the data to the controller.
  • The processor must allow the controller to conduct an audit and will provide whatever information necessary to prove compliance.

Drafting DPA for your Customer (as a Data Controller)

By signing a DPA, both you and the data processor you hired will comply with the data privacy laws for your customers. Any business or entity that collects, stores, and communicates data on your behalf is considered a data processor. Therefore, a data processing agreement is required.

Signing a DPA as a Vendor (as a data processor)

As the data processor, you ensure that applicable data protection laws process all personal data. This includes ensuring that appropriate technical and organizational measures are in place to protect personal data from accidental or unauthorized access, destruction, alteration, or use. 

You must also ensure that personal data is accurate and up-to-date and that individuals have the right to have their personal data erased or corrected if it is inaccurate. These responsibilities also extend to any such sub-processors you may hire, including any sub-processing activities.

Occasionally, vendors (processors) publish their DPA on their website. Sometimes, they are open to negotiations with their customers, and sometimes this is a “take it or leave it” agreement that their clients may sign and download before starting to use their services. 

« Back to Glossary Index