Organizations often rely on third-party service providers to process data on their behalf for a variety of purposes, such for managing customer relationships, handling payroll, conducting marketing campaigns, or analyzing website performance, to name just a few. While outsourcing these functions can help organizations work more smoothly, it also introduces risks associated with data privacy and security, such as data breaches or unauthorized access.<\/p>\n\n\n\n
A data processing agreement (DPA) helps mitigate these risks by outlining clear responsibilities for both parties, the entity that collects data and the third-party service provider that processes it on their behalf. It enables personal data to be handled securely and helps organizations maintain compliance with global data privacy laws like the European Union\u2019s General Data Protection Regulation (GDPR)<\/a> and the California Consumer Privacy Act (CCPA)<\/a>\/California Privacy Rights Act (CPRA)<\/a>.<\/p>\n\n\n\n We look at what a data processing agreement is, when it\u2019s required, and what must be included to achieve regulatory compliance.<\/p>\n\n\n\n A data processing agreement (DPA) is a legal contract between two key parties involved in the handling of personal data or personal information: the data controller and the data processor. It outlines the responsibilities of both parties and establishes clear guidelines for how data will be processed.<\/p>\n\n\n\n The data controller (or controller) is the entity, such as a business or other organization, that determines the purpose and means of processing personal data. It is responsible for ensuring that data processing complies with applicable laws.<\/p>\n\n\n\n The data processor (or processor) is a third-party entity that processes personal data on behalf of the controller and under the controller\u2019s instructions.<\/p>\n\n\n\n A data processing agreement is also known as a data privacy agreement, data protection agreement, or data privacy addendum. Some laws simply refer to it as a contract between the controller and processor.<\/p>\n\n\n\n The term \u201cprocessing\u201d refers to any operation or set of operations performed on personal data, whether manual or automated. The GDPR definition of the term includes \u201ccollection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction\u201d <\/em>as operations that constitute processing.<\/p>\n\n\n\n A data processing agreement (DPA) plays a central role in ensuring that personal data is handled properly when shared between a data controller and a data processor. Its purpose is to create a clear framework that protects personal data and aligns both parties with the requirements of data protection laws.<\/p>\n\n\n\n A DPA serves as a legally binding document that sets out the obligations of both the controller and the processor under applicable data protection laws. Some of the regulations that mandate a DPA include:<\/p>\n\n\n\n Since many of these laws have extraterritorial reach, even companies operating outside these regions may need to comply when handling personal data of people from within those jurisdictions. By having a DPA in place, businesses reduce the risk of legal penalties associated with noncompliance.<\/p>\n\n\n\n The DPA clearly defines the roles and responsibilities of the data controller and processor. It specifies how personal data will be processed, stored, and protected, helping to ensure the processor acts solely on the controller\u2019s instructions. This clarity helps prevent misunderstandings and helps ensure that both parties adhere to their obligations regarding data handling.<\/p>\n\n\n\n A DPA details the technical and organizational measures that both parties must follow, including specific security measures the data processor must implement. These can include encryption, access controls, and regular security audits, all designed to safeguard personal data from unauthorized access or breaches.<\/p>\n\n\n\n A DPA establishes clear procedures for handling personal data, including the engagement and use of sub-processors. It outlines specific provisions for data security, breach notification procedures, and the responsibilities of each party in the event of a data incident. This structured approach helps both parties know exactly what steps to take if a security issue arises, reducing the risk of delays or confusion during critical moments.<\/p>\n\n\n\n When personal data crosses borders, the agreement outlines the safeguards required to ensure that the data receives the same level of protection it would under domestic laws. This might include the use of standard contractual clauses (SCCs) when transferring data to countries that don\u2019t have robust privacy laws.<\/p>\n\n\n\n A data processing agreement is required whenever an entity that is acting as a controller and needs a DPA shares personal data with a third-party service provider for data processing purposes. The DPA must be signed prior to any data processing taking place.<\/p>\n\n\n\n Small businesses, sole proprietors, nonprofits, government organizations, and others must enter into DPAs if the following conditions apply:<\/p>\n\n\n\n If you collect or process data from an individual in the EU\/EEA, you must comply. For US states\u2019 privacy laws, check the compliance thresholds to determine if you must comply.<\/p>\n\n\n\n Entities that are considered data processors under the law and process personal data on behalf of and on the instructions of controllers must enter into a DPA with the controller.<\/p>\n\n\n\n Here are some examples of situations when a data processing agreement would be required:<\/p>\n\n\n\n Tracking cookies<\/a> often collect personal data like IP addresses and browsing behavior, which qualifies as personal data under many global data protection regulations. When businesses use cookies to gather this data, they often rely on third-party service providers, such as analytics or marketing platforms. This makes it necessary for businesses to enter into DPAs with these third parties to ensure that the processing of cookie data complies with applicable data privacy laws.<\/p>\n\n\n\n Under the GDPR, cookies that collect personal data require explicit consent from users, with the exception of strictly necessary cookies. If a business uses a third-party data processor to process data from cookies, the DPA should outline how that processor will handle personal data collected through cookies, including security measures and compliance with users' right to revoke or withdraw consent. Websites that collect personal data in this manner should use a consent management platform (CMP)<\/a> to obtain cookie consent<\/a>.<\/p>\n\n\n\n The CCPA\/CPRA doesn\u2019t require explicit consumer consent to collect personal information through cookies in many cases, with some exceptions, such as sensitive information and minors\u2019 personal information. However, consumers have the right to opt out of the sale or sharing of their personal information, and to limit the use or disclosure of sensitive information. If a business uses cookies to collect data that could be sold or shared, the DPA should include clauses that ensure the third party complies with the opt-out rights of consumers and provides transparency about data usage.<\/p>\n\n\n Scan your website to know which third-party cookies you use so you can check if you have DPAs in place with these entities.<\/p>\n <\/div>\n <\/div>\n What is a DPA?<\/h2>\n\n\n\n
What is the purpose of a data processing agreement?<\/h2>\n\n\n\n
Assists in meeting legal requirements<\/h3>\n\n\n\n
\n
Clarifies responsibilities of the parties<\/h3>\n\n\n\n
Helps protect data subjects<\/strong><\/h3>\n\n\n\n
Establishes protocols<\/strong><\/h3>\n\n\n\n
Facilitates international data transfers<\/strong><\/h3>\n\n\n\n
When is a data processing agreement required?<\/h2>\n\n\n\n
\n
\n
Cookies and data processing agreements<\/strong><\/h2>\n\n\n\n
\n Do you have DPAs with all your data processors? <\/h2>\n