Everything you need to know about data processing agreements, including the key clauses to include

Definition of data processing agreement

A data processing agreement (sometimes called a DPA agreement) is a legal contract between a controller (a party who determines the purposes and means of the processing of personal data) and a processor (someone who is using that personal data in accordance with the controller's instructions).

As an example, a creative design agency that has employees may use a payroll provider to manage its payroll. The agency will decide everything about payments being made, but will use the payroll provider in order for the payments to actually be made. In this case, the agency would be the controller of employees' payroll data, and the payroll company would be a processor. As there is a controller to processor relationship here, a data processing agreement is required by data protection laws.

Benefits of having a data processing agreement

1. Legal requirement - Article 28 of the UK GDPR requires that contractual terms are put in place for all controller to processor relationships. Failure to have a contract in place that contains the mandatory terms set out in the UK GDPR will be a breach of data protection laws. Breaching data protection laws can have dire consequences to your business - whether that’s hefty fines, claims from data subjects or damage to your reputation.

2. Protect your business’s personal data - a data processing agreement will include obligations for the processor to implement and maintain various security measures. This will ensure that your personal data is protected from unauthorised access and protect its integrity and quality, and ultimately reduce the risk of data breaches.

3. Show that you take data protection seriously - one of the key principles of the UK GDPR is the accountability principle. This principle requires that organisations put in place appropriate technical and organisational measures to be able to demonstrate what they did and its effectiveness when requested by a data protection regulator. One of these measures can be a data processing agreement, as it clearly defines the role and responsibilities of a processor when personal data is being shared with them. If your business is investigated by the ICO (the data protection regulator in the UK), having data processing agreements in place with processors can help to demonstrate compliance with the accountability principle.

4. Ensure consistency across your processor relationships - businesses often engage a number of different processors as part of their business operations to process personal data on their behalf. This could include cloud hosting providers, payroll providers, consultants, CRM systems and other software providers. Having the same form of data processing agreement in place with every processor can be key to managing processor relationships consistently. Using the same form of document enables a controller to ensure that all of its processors are being held to the same standards, and process their personal data in the same way.

5. Build customer trust - if you are a processor of personal data on behalf of your customers as controllers (e.g. if you are a software provider), then having a high-quality data processing agreement in place can help to build trust with your customers and strengthen customer relationships. It demonstrates to your customers that you understand how important protecting their personal data is, and that your business has appropriate safeguards in place to act as their processor.

Key clauses and terms

1. Mandatory clauses - the UK GDPR specifies certain mandatory clauses that must be included in a data processing agreement. To make sure that you include all of the mandatory clauses in your data processing agreement, use our handy checklist.

2. Sub-processors - a process should be included in a data processing agreement that sets out how and when sub-processors can be appointed by the processor. Sub-processors are any third parties that will process the personal data under the agreement on behalf of the processor (e.g. software providers, cloud hosting providers, group companies, consultants). Find out more about appointing sub-processors with these FAQs.

3. International transfers - data protection laws include specific requirements and rules where personal data is being transferred outside of the UK and EEA. A well-drafted data processing agreement will include a clause on international transfers that includes a clear process that must be followed in the event the processor wants to transfer personal data outside of the UK and EEA - this could range from an absolute restriction on international transfers to requirements to put in place specified safeguards in order for the transfer to be allowed.

4. Liability and indemnity - given the potential financial losses that could arise from a personal data breach, as a controller you may want to include an indemnity in your data processing agreement. A data protection indemnity provides a remedy for the controller to recover losses from the processor where the processor has breached the terms of the agreement, leading to such loss. For example, if the processor fails to maintain security standards that are set out in the data processing agreement and that leads to a loss, the controller will want to be able to recover those losses via a contractual indemnity (a contractual promise to pay).

5. Termination and actions on termination - purpose limitation is a key principle of data protection laws. It means that personal data should only be processed for as long as is necessary for a specific purpose - when that purpose finishes, the processing should come to an end. A data processing agreement should therefore have a clear mechanism for it to end when the purpose ends, so that the purpose limitation principle can be complied with. Data protection laws also require that a data processing agreement includes a clause that deals with what will happen to personal data on termination - this could be that it is returned to the controller or alternatively it could be that the personal data is irretrievably deleted.

What other agreements might be relevant?

A data processing agreement should be entered into where there is a controller to processor relationship (i.e. there is one party processing personal data on behalf of the other party).

However, sometimes personal data is shared between parties on a controller to controller basis. In these circumstances, a data sharing agreement should be entered into instead.

Final thoughts

As well as enabling your business to comply with data protection laws, a high-quality data processing agreement can also bring many other benefits to your business, from boosting your brand to ensuring security is at the heart of your business. Well-drafted dpa agreements can be central to your business’s privacy practices.

Docue’s data processing agreement (UK) has been drafted by privacy lawyers - it contains lawyer-drafted guidance notes throughout so that you can easily create a customised data processing agreement in just minutes. Make sure your business is on top of its privacy practices and compliant with data protection laws by using Docue’s dpa data processing agreement.