What Is a DPA (Data Processing Agreement) - and Are They Necessary?

A DPA is a legal document, a signed contract between a data controller and data processor that establishes both parties’ duties and obligations regarding the handling of customers’ personal data for business purposes in accordance with the applicable data protection laws and regulations.

• A data controller is the entity (natural person, business, or government body) that decides how personal data is processed and for which purpose.
• A data processor is the third-party service provider that processes the data on behalf of the data controller.

Data processing agreements are sometimes called data processing addendums or data protection agreements, but all three serve the same purpose.

In simpler terms, a DPA is a contract that regulates how user data is collected, stored, processed, accessed, protected, and used. It defines all the organizational requirements and technical requirements that are needed to protect personal data.

The ultimate purpose of a DPA is to protect the personal data of users and, in case of data breaches, hold the relevant companies responsible.

For example, let’s say you run a chain of pharmacies that delivers prescription medication. You decide to upgrade your system by transferring your data to the cloud and decide to hire a software company that provides cloud services and will create custom software to transfer and store that data.

The data you are storing also includes medical and other personal information of your patients. In this instance, you are the data controller and the software company is the data processor. Depending on the applicable laws in your state, you will likely need to sign a binding DPA with your data processor.

A data processing agreement is a comprehensive agreement that should cover all the obligations and responsibilities of the data controller and data processor. As such, it should include:

• General Information – Like all contracts, a DPA should include all the pertinent information regarding the signatories (i.e. company names, addresses, CID, and other identifying information). It should also include the definitions of the terms that will be used in the contract (e.g. who is classified as a customer/user).
• The scope, purpose, types of data, security measures – A DPA should define the scope of the personal data processing activities – both the duration and the geographical location of the processing. Then, it needs to clearly lay out the purpose of the data that is being processed. It should also include clauses that classify the way data that will be processed and the security measure that will be implemented to protect the given information.
• The rights of individuals – DPAs should also include provisions that lay out the rights of individuals whose personal data will be collected and processed.
• The obligations of the controller and processor – A DPA needs to define all the obligations and responsibilities of the signatories – the controller and processor – and how they will comply with the applicable laws.

Common DPA Clauses

Some common clauses that are found in DPAs are:

• The detailed purpose of the data processing;
• Detailed data processing instructions;
• The scope of the DPA;
• Applicable security measures;
• The obligations of the data controller;
• The obligations of the third-party data processor;
• Rules regarding sub-processors;
• The liabilities of the data controller, data processor, and sub-processor;
• The rights of individual users;
• Rights regarding data transfers.

Again, a DPA is a comprehensive legal contract, so it can include many more clauses than were listed here, depending on the need of the signatories.

A DPA can also be signed between a data processor and its users (these would be the common ‘contracts’ that most people skim, if that, and agree to when signing up for online websites). While this type of DPA is not the focus of this article, here is what HubSpot’s DPA with its users looks like, as an example.

We can’t talk about data processing agreements without taking a minute to mention the General Data Protection Regulation (GDPR) of the European Union, the most important European data protection law, as this legal act is often considered the main impetus for the spread of DPAs.

This regulation entered into force in 2016 but was only enforced in 2018. It is one of the toughest security and privacy laws in the world that targets all organizations that collect and process the data of EU citizens.

Thus, for example, if a US, Brazilian, Taiwanese, or Australian company collects and processes the data of people from, let’s say, France, it must comply with the GDPR, regardless of its home country. One of the stipulations of the GDPR is precisely the obligation between data controllers and processors to sign data processing agreements.

If companies do not sign DPAs or are otherwise in breach of the GDPR, they are liable to pay exorbitant fines. We’ve mentioned the GDPR as a model regulation and legal basis that mandates the signing of DPAs, but it’s far from the only one of its kind.

Other Regulations Mandating DPAs

Many laws worldwide obligate the data controller to provide binding instructions for the data processor on how to process data. The wording and the specific requirements of the laws vary, but they all boil down to the same thing – the need to sign a type of DPA.

There are so many laws that we can’t list them all here. So we’ll provide a couple of examples of such laws in the US:

• The California Privacy Rights Act (CPRA) of 2020, which came into effect in January 2023, amended the California Consumer Privacy Act of 2018 and expanded on the existing data privacy laws in California;
• The Colorado Privacy Act (CPR), which should enter into force on July 2023. As an example, an excerpt of the CPR (part (c) (II) (B)):

“Imposes an affirmative obligation upon companies to safeguard personal data; to provide clear, understandable, and transparent information to consumers about how their personal data are used; and to strengthen compliance and accountability by requiring data protection assessments in the collection and use of personal data.”

• The Virginia Consumer Data Protection Act (CDPA), which entered into force in January of 2023 and expands the protection of private data, in addition to the already existing laws like the Personal Information Privacy Act.

You might have noticed that all three examples we brought up are laws that are coming into effect this year. It’s safe to say that passing such laws is a current trend and that we can expect most states to have similar legislation in the near future.

DPAs are obligatory when the laws of the countries where the company does business require them. But as we’ve mentioned above, you can expect most countries to have such regulations in the next few years, so considering DPAs obligatory in most cases could be a wise move.

While signing a DPA may or may not be a legal obligation, they still have benefits even if they are not mandatory. Some of the benefits are:

• Ensuring the protection of citizens’ private data;
• Ensuring compliance with the applicable laws;
• Creating a clearly defined structure, including obligations, responsibilities, and liabilities, when personal data are being handled;
• Creating confidence among your customers that you are not abusing the data they provide.

In short, data processing agreements can be viewed as contracts that enhance the way private data are handled.