What Is a DPA? Data Processing Agreements Explained

By: Etienne Cussol CIPP/E, CIPM Etienne Cussol CIPP/E, CIPM | Updated on: May 25, 2023

Start Building Compliance
Data-Processing-Agreement-01

If your business collects personal information from users and relies on a third party to process the data, you’ll need a data processing agreement (DPA) to avoid fines for non-compliance under several pieces of privacy legislation around the globe.

Simply put, a data processing agreement is a contract between a data collector and the third-party services they employ to process data.

Below we’ll cover more on what a data processing agreement is, what it looks like, and why your business might need one today due to updated and new data privacy legislation.

Table of Contents
  1. What Is a Data Processing Agreement (DPA)?
  2. Why Are Needed DPAs Needed?
  3. Do I Need a Data Processing Agreement?
  4. How Do I Create a DPA?
  5. What Do I Include In My DPA?
  6. Who Signs a DPA?
  7. What Are the Fines for Not Having a DPA?
  8. Data Processing Agreement Examples
  9. Tips for Negotiating a DPA
  10. Data Processing Agreement FAQ
  11. Summary

What Is a Data Processing Agreement (DPA)?

A data processing agreement — also called a data processing addendum or DPA — is a legal contract in which you determine the rights and obligations of the parties involved in data processing.

Most of the time that includes your business and any third-party services you use.

Your business is the data collector, and any third-party company helping you collect or process data would be the data processor.

A data processing agreement helps assure users that you’re taking ownership of the data collection process because you verify that the third-party processors you work with treat, handle, and store their information following relevant laws.

Why Are Needed DPAs Needed?

Data processing agreements are needed because they protect your business by contractually obligating any third-party processors you work with to comply with relevant data privacy laws.

Without a DPA in place, there’s a chance your business will be held accountable for the third party’s unlawful data processing practices, should any occur.

That said, technically, you aren’t legally obligated to use a DPA. However, these documents typically include clauses covering all guidelines and requirements outlined by the different data privacy regulations, making it easier for you to ensure compliance.

These legal agreements also help set proper customer expectations about how your company handles their personal information.

Initially, using a DPA to create legal contracts was one of the critical components of complying with the General Data Protection Regulation (GDPR).

But as of 2023, five additional US states — California, Utah, Virginia, Colorado, and Connecticut — began requiring contracts similar to DPAs, stipulating that they must include clauses covering the following components:

  • Purpose of the data processing
  • Type of data processed
  • Data processing instructions
  • Duration of data processing rights
  • Obligations of both parties.

In comparison, Article 28 of the GDPR requires controllers to set a contract with their processors stating:

  • Subject matter and duration of the processing
  • Nature and purpose of the processing
  • Type of personal data
  • Categories of data subjects
  • The obligations and rights of the controller

Laws That Require DPAs

All of the following data privacy laws and regulations require or will require businesses to create contracts with third-party data processors, and using a DPA satisfies those obligations:

  • General Data Protection Regulation (GDPR)
  • The Data Protection Act 2018 (UK GDPR)
  • California Consumer Privacy Act (CCPA)
  • Virginia Consumer Data Protection Act (CDPA)
  • Brazil General Data Protection Law (LGPD)
  • Thailand Personal Data Protection Act (PDPA)
  • UAE Personal Data Protection Act (PDPA)
  • South Africa Protection of Personal Information Act (POPIA)
  • Colorado Privacy Act (CPA) — in force July 1, 2023
  • Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) — in force July 1, 2023
  • Utah’s Consumer Privacy Act (UCPA) — in force December 31, 2023

Most of these regulations have an extraterritorial scope, so they may apply to your business even if you’re outside their traditional territorial boundaries.

The specific contractual obligations also vary slightly, so click on the links to learn more about how each piece of legislation affects the contents of your DPAs.

Do I Need a Data Processing Agreement?

You may need a data processing agreement to avoid penalties for non-compliance under any previously listed data privacy laws.

The GDPR, for example, applies to any website or app that collects personal information and has visitors from the European Union (EU).

According to Article 83 of the GDPR, businesses that don’t follow the prescriptions risk paying fines up to $20 million or 4% of the global revenue — whichever is greater.

To avoid those risks, follow guidelines for GDPR compliance, including preparing a data processing agreement.

The amended CCPA also requires a contract if a business discloses personal user data to contractors, service providers, and third parties.

In the following sections, let’s define these terms and explain how they relate to DPAs.

Contractors and Service Providers

Due to the California Privacy Rights Act (CPRA) amendments to the CCPA, any entity that processes personal information on behalf of a business or receives consumer personal information for business purposes must have a written contract. You can meet this guideline using a DPA.

But there is a difference between how the CCPA defines contractors and service providers.

Legally, the definition of a contractor is broader than the definition of service provider. It includes anyone a business makes consumers’ personal information available to for business purposes.

On the other hand, a service provider is simply an entity that “processes information” for a business.

According to the amended CCPA, contractors should certify their understanding of the contractual requirements.

These contracts require sections that:

  • Prohibit the selling or sharing the personal information
  • Prohibit retaining, using, or disclosing personal information outside of the direct business relationship between the contractor and the business
  • Prohibit the combination of personal information from different sources
  • Notify the business of sub-processors
  • Mandate the sub-processors by written contract to the same processing obligations
  • Obligates both parties via provisions to monitor their own legal compliance

Contractors must also receive personal information directly from the business, whereas service providers can receive personal information on behalf of the business.

This implies that businesses have greater control over contractors than service providers, which is reinforced by the obligation for contractors to prove their understanding of the legal contractual requirements.

Third Parties

According to the CCPA, a third party is any entity that is not the original business with whom the consumer intentionally interacts with and that collects their personal information as part of their interaction with the original business.

So this means service providers and contractors are legally considered third parties to the business.

Under the CCPA, the contracts must include provisions claiming that the protections regarding the use limitations and privacy rules remain in place for personal information throughout the entire supply chain.

These contracts must also allow some level of due diligence by the business to help ensure third-party processing remains consistent with the new CPRA obligations that amended the CCPA.

Third parties, in turn, must notify the business if it can no longer meet its amended CCPA obligations and grant the business rights to take “reasonable and appropriate steps” to remediate unauthorized use of personal information in such cases.

How Do I Create a DPA?

Your business might work with several third parties for data processing and require multiple DPAs, so let’s talk about the following ways you can make these contracts:

  • Seek out a legal professional
  • Try a managed solution
  • Customize a free, downloadable template
  • Take a do-it-yourself (DIY) approach and write the contract yourself

Seek Legal Assistance

If you’re a massive company that deals with a lot of user data, your best option is to seek out a legal team to help you draft a DPA.

Managed Solution

One of the quickest and simplest methods for creating a DPA is to use a managed solution, like a Data Processing Agreement Generator.

While you’ll likely need to pay a small monthly or annual fee to use a managed solution, it takes all of the guesswork and confusion out of making this technical contract.

All you need to do is answer a few simple questions about your business and the third-party entity, and it will generate a compliant DPA based on your answers.

Template

If you want to make a DPA without spending a dime, try using a free, downloadable data processing agreement template.

Using a template takes more time and effort than a managed solution, but a well-written template will have some of the initial writing, formatting, and standard clauses already in place for you.

DIY

You can also take a do-it-yourself approach and write your own data processing agreements.

This is a challenging option but doable as long as you have the right technical knowledge, skills, and awareness of data privacy laws.

If you decide to take this route, read through the rest of this guide for tips on what to put in your agreement.

What Do I Include In My DPA?

The specific details of your data processing agreement depend on what privacy laws you must follow, but most of them outline all of the following information:

If you include all of the above details, your DPA should meet the legal requirements outlined by most data privacy legislation around the globe. However, in the next section, we’ll briefly list the GDPR requirements for contracts, which feature some stricter guidelines.

What Does a GDPR DPA Require?

According to Article 28, Sec 3 of the GDPR, there are eight important points you must include in your data processing agreement:

  1. Data processors must agree to process data only on the written instructions of the data controller.
  2. The two parties must agree to the sworn confidentiality of those involved in the data processing.
  3. You must list all measures that guarantee the security of the personal data.
  4. You, the data controller, must ensure the delegated functions of the data processor are not outsourced to another data processor without the knowledge and consent of the controller.
  5. The data processor must assist you, the controller, to comply with the GDPR concerning their commitments to the data subjects’ rights.
  6. The processor must assist you, the controller, in fulfilling the duties concerning compliance with GDPR, namely Article 32 (Security of Processing) and Article 36 (Prior Consulting).
  7. After the services are terminated, or the data has been returned to you, the controller, the processor must agree to delete every personal data.
  8. As the controller, you are entitled to audit the processor, who must provide all relevant information, if necessary.

This might seem like a lot, but we’ve outlined some examples of real-life data processing agreements in the next section to help inspire you when you make your contract.

You can also check out the templates on the GDPR official website.

Who Signs a DPA?

For your DPA to be legally binding, both the data controller (i.e., your business) and the data processor (i.e., the third party) must sign the data processing agreement and any of their sub-processors.

So in the next section, let’s talk about how to tell if the DPA presented to you is worth signing from both perspectives or if further negotiations should take place first.

Signing a DPA as the Data Controller

If your business hires a third party to process data, you must create and sign a DPA as the data controller.

Before you sign a data processing agreement as the data controller, ensure that it meets the following standards:

  • Clearly outlines how the processor can use the personal data
  • Ensure you trust that the processor can protect the data and respond quickly if issues arise
  • Verify that the scope of the data collection falls within the legal basis you have for processing data
  • Consider and plan for international data transfers

These are vital measures because, under regulations like the GDPR, the data controller — i.e., your business — is held responsible if a data processor causes a security breach, even if the error was on their end.

If you doubt the security practices or integrity of the third-party processors you may go into contract with, reconsider the relationship or rework the agreement.

Signing a DPA as the Data Processor

If you’re a data processor, you should still understand the ins and outs of data processing agreements, as you’ll be signing many of these contracts to do your work.

When signing a DPA as the data processor, there are a few things to look out for to ensure the contract is suitable, like:

  • Verify that all applicable data privacy laws you fall under are accounted for within the contract
  • Ensure that you can adequately meet all safety and security requirements
  • Keep the personal data up-to-date and accurate
  • Prepare a procedure for how consumers can act on their privacy rights
  • Ensure all of your sub-processors also sign and can follow the stipulations in the DPA

The data processor’s responsibility is to properly store and handle consumer personal information per the DPA and any applicable data privacy laws. You also need to verify your sub-processors can do the same.

What Are the Fines for Not Having a DPA?

Failing to create a compliant DPA could result in paying hefty fines, losing the trust of your consumers, and possibly jail time.

Below, see a table comparing the potential penalties for some data privacy laws that stipulate contract requirements between data controllers and processors.

Data Privacy Law Penalties for Non-Compliance
General Data Protection Regulation (GDPR)
  • Fines up to €10 million (around $12 million) or 2% annual global turnover – whichever is higher
  • Maximum penalty of €24 million (around $23 million) or 4% annual global turnover – whichever is higher
The Data Protection Act 2018 (UK GDPR)
  • Fines up to £8.7 million (around $10 million) or 2% of the total annual worldwide turnover from the preceding financial year – whichever is higher
California Consumer Privacy Act (CCPA)
  • $2,500 per non-intentional violation
  • $7,500 per intentional violation or for offenses involving the personal information of minors under age 16
    Consumers are allowed to pursue private civil action against you.
Virginia Consumer Data Privacy Act (CDPA)
  • Up to $7,500 per violation
Brazil General Data Protection Law (LGPD)
  • Fines up to 50 million Reals (around $10 million) or up to 2% annual global revenue
Thailand Personal Data Protection Act (PDPA)
  • Fines up to THB 5 million (around $150,000)
  • Imprisonment up to one year and/or a fine of up to THB 1 million (around $30,000)
  • Punitive damages up to twice the amount of the cost of actual damages.
UAE Personal Data Protection Act (PDPA)
  • There are no standardized penalties yet, but they shall eventually be set in the Executive Regulations.
South African Protection of Personal Information Act (POPIA)
  • Fines up to 10 million ZAR (around $550,000) or up to 10 years in prison
Colorado Privacy Act (CPA) – in force July 1, 2023
  • No specific fines have been determined yet, but they’re expected to range between $2,000 to $20,000 per violation
Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) – in force July 1, 2023
  • Fines up to $5,000 per willful violation
  • Possible equitable remedies, including restitution, disgorgement, and injunctive relief
Utah Consumer Privacy Act (UCPA) – in force December 31, 2023
  • The consumer’s actual damages caused by the business’s violation of the law
  • A maximum fine of $7,500 per violation

The risks aren’t worth it, have an effective and compliant DPA in place to protect your consumers’ personal data and the integrity of your business.

Data Processing Agreement Examples

Let’s look at a couple of examples of data processing agreements to see how other companies meet the requirements of data privacy regulations, like the GDPR and the amended CCPA.

Example 1: LinkedIn’s Data Processing Agreement

The first sample data processing agreement we’ll consider comes from the professional networking website LinkedIn.

Below, see a screenshot of how they organize their agreement using a simple table of contents.

We like their logical structure, as this helps both parties verify that it covers all necessary stipulations and guidelines.

LinkedIn-Data-Processing-Agreement

They also clearly define all terms in their agreement, as shown in the screenshot below. This is an excellent idea because it clears up any confusion and limits the chances of misinterpretation.

LinkedIn-Data-Processing-Agreement-definitions

Later in the agreement, they use tables to communicate what categories of personal data get transferred from controller to controller compared to the data that gets transferred from the controller to the processor.

As shown below, this organizes complex information clearly, which helps ensure that every party signing the agreement understands the terms.

LinkedIn-Data-Processing-Agreement-organize-information

Example 2: Yahoo’s Data Processing Agreement

Next, let’s look at the DPA for Yahoo. In the screenshot below, notice that they avoid using large walls of text, making it easier to read and understand.

Yahoo-Data-Processing-Agreement

We like that their document is organized neatly, and the clear headings on the left make it easy to navigate through the sections.

Below, see how simply they phrase their clause explaining their obligations regarding European privacy laws.

Yahoo-Data-Processing-Agreement-obligation-European-privacy-laws

Finding the balance between clear language and legally compliant phrasing gets complicated, so use Yahoo’s DPA as an example of how to do this successfully.

Example 3: Mailchimp’s Data Processing Agreement

Finally, let’s look at the data processing agreement for the email marketing service Mailchimp.

They do a great job combining and communicating data processing contractual requirements from different pieces of legislation, a tricky balancing act.

Specifically, Annex C of the DPA clarifies their contractual obligations and requirements in the different terms used by the jurisdictions they are subject to — California and Canada — in addition to the GDPR.

Below, see their information regarding California data processing.

Mailchimp-Data-Processing-Agreement

Next, compare it to their information regarding Canadian data processing.

Mailchimp-Data-Processing-Agreement-Canadian-data-processing

Directly referencing data privacy laws like this is a great way to ensure you fully comply with all legal guidelines and requirements. Consider doing the same thing within your data processing agreements.

Tips for Negotiating a DPA

When negotiating a data processing agreement, you want to ensure the policy adequately follows all data privacy laws and outlines favorable business terms.

To successfully create a DPA that does both, we recommend the following steps:

Data Processing Agreement FAQ

Below, check out the most frequently asked questions we get about data processing agreements.

Are DPAs legally required?

No, technically, data processing agreements aren’t legally required, but they help businesses meet contractual obligations with third-party processors as outlined by data privacy laws like the GDPR, the amended CCPA, and the CDPA.

Is a Data Processing Agreement a contract?

Yes, a data processing agreement is a legally binding contract between a business and a third-party data processor. It explains the rights and obligations of each party concerning personal user data.

What is the difference between a Data Processing Agreement and a Data Sharing Agreement?

A data sharing agreement is typically between two data controllers — i.e., businesses — and outlines what happens to the data at each stage, how it gets shared, and how it’s used.

In contrast, a data processing agreement is a contract between a controller and a data processor that outlines security and safety measures and limits how the third party can use the data.

What is the difference between a Data Processing Agreement and a Privacy Policy?

A data processing agreement is a contract between a business and any third-party data processors to ensure user personal data is stored safely and used in ways that respect consumer rights.

In contrast, a privacy policy explains to your users what data you collect, use, and process and your legal basis for doing so.

How Do I Create a DPA?

You can create a data processing agreement using a managed solution, like a DPA generator, by downloading and customizing a free downloadable template, or by writing up the document yourself.

Summary

Having a DPA is a critical component of data privacy compliance under multiple laws, including the GDPR, the CCPA as amended by the CPRA, and more.

This legally binding contract helps you avoid hefty fines while building up trust with your clients by demonstrating that you and your data processor(s) are responsible and trustworthy.

Whether you choose to seek legal counsel, write one yourself, use a template, or access a data processing agreement generator, ensure your contracts abide by all relevant data privacy laws, appropriately limit your liabilities, and verify that any third-party processors you partner with are qualified to protect and store your consumers’ personal information adequately.

Etienne Cussol CIPP/E, CIPM
More about the author

Written by Etienne Cussol CIPP/E, CIPM

Etienne is an Information Privacy professional and compliance analyst for Termly. He has been with us since 2021, managing our own compliance with data protection laws and participating in our marketing researches. His fields of expertise - and interest - include data protection (GDPR, ePrivacy Directive, CCPA), tracking technologies (third-party cookies, fingerprinting), and new forms of privacy management (GPC and the Google Privacy Sandbox). Etienne studied International Economic Affairs at the University of Toulouse, and graduated with a Masters in 2017. More about the author

Related Articles

Explore more resources