Bolt Image

Data Processing Agreement

Avatar for KJ Dearie

by KJ Dearie

March 15, 2021

Start Building Compliance
Data Processing Agreement featured image

One of the key components of complying with the General Data Protection Regulation (GDPR) is having a Data Processing Agreement. A data processing agreement is a contract between a data collector and the third-party services they employ to process data.

In this article, you will find out what a data processing agreement is, what it looks like, and why your business might need one.

Table of Contents
  1. What Is a Data Processing Agreement?
  2. Do I Need a Data Processing Agreement?
  3. Data Processing Agreement Examples
  4. What to Include in a Data Processing Agreement
  5. Next Steps

What Is a Data Processing Agreement?

A data processing agreement, also referred to as a data processing addendum, is a legal contract in which you determine the rights and obligations of the parties involved in the data processing.

Most of the time, that includes your business and third-party services you use.

Your business is the data collector, while any third-party company helping you collect and/or process data would be the data processor.

A GDPR data processing agreement helps assure users that you’re taking ownership of the data collection process, including how processors working on your behalf treat data.

Do I Need a Data Processing Agreement?

You may need a data processing agreement in order to avoid GDPR penalties for non-compliance.

According to Article 83 of GDPR, businesses that do not follow GDPR prescriptions risk paying fines up to $20 million or 4% of the global revenue (whichever is greater). In order to avoid those risks, it’s necessary to follow guidelines for GDPR compliance, including preparing a data processing agreement.

You need a data processing agreement if you meet the following qualifications:

  1. You have users in the European Economic Area (EEA).
  2. You collect or process user data.
  3. You use a third-party service to process data, or you provide third-party data processing services.

Data Processing Agreement Examples

Let’s look at a couple examples of data processing agreements to see how other companies meet the GDPR data processing agreement requirement.

Example 1: LinkedIn’s Data Processing Agreement

Take, for example, LinkedIn’s data processing agreement:

LinkedIn's Data Processing Agreement

LinkedIn uses a minimalistic structure and ensures everything is short and to the point.

It’s not very user-friendly in terms of navigation, but it provides every part of the legal document in sufficient detail.

Example 2: Verizon’s Data Processing Agreement

Verizon Media’s DPA offers us another example:

Verizon Media's data processing addendum

The document is organized neatly, with headings on the left make it easy to navigate through the sections.

Similar to LinkedIn’s example, the DPA of Verizon Media is not on the front page, unlike the other GDPR related legal documents, like their privacy policy.

You also don’t need to provide your DPA on the homepage of your website, but link to it in related documents like your GDPR privacy policy.

What to Include in a Data Processing Agreement

According to GDPR Article 28, Sec 3, there are eight important points on any DPA checklist:

  1. Data processor’s agreement to process data only on the written instructions of the data controller.
  2. The sworn confidentiality of those involved in the data processing.
  3. List of all measures that guarantee the security of the data.
  4. The controller must ensure the delegated functions of the data processor are not outsourced to another data processor without the knowledge and consent of the controller.
  5. The processor must assist the controller to comply with GDPR, in particular regard to their commitments to the data subjects’ rights.
  6. The processor must assist the controller to fulfil the duties in relation to compliance with GDPR, namely Article 32 (Security of Processing) and Article 36 (Prior Consulting).
  7. After the services have been terminated or the data has been returned to the controller, the processor must agree to delete every personal data.
  8. The controller is entitled to conduct an audit of the processor, who must provide all relevant information, if necessary.

This might seem like a lot, but there are a lot of examples on the web for you to gain some inspiration. You can also check out the templates on the GDPR official website.

Next Steps

Having a DPA is an important component of GDPR compliance. It helps you to avoid hefty fines, while also building up trust with your clients by demonstrating that you and your data processor(s) are responsible and trustworthy.

Check out the official GDPR data processing agreement template to get started on creating a DPA for your business.

Avatar for KJ Dearie
More about the author

Written by KJ Dearie

KJ Dearie is a product specialist and privacy consultant for Termly, where she advises small business owners on how to comply with the latest data privacy laws and trends. She's been published in Business News Daily, Omnisend, ITProToday, MarTechExec, and more. More about the author

Related Articles

Explore more resources Explore more resources