Are you a data controller working with a data processor or vice versa? If so, you need to document your relationship in writing with a Data Processing Agreement (DPA).
The GDPR focuses on holding data controllers accountable for the way they collect, store, share, and delete data. Data controllers also hold the responsibility for the data processors they contract with to perform processing on their behalf.
But how do you show data processors what you expect from them? With a Data Processing Agreement.
How do you write a GDPR DPA? Keep reading for a helpful guide and our downloadable template.
- 1. When and Why You Need a Data Processing Agreement
- 2. What to Include in Your Data Processing Agreement
- 2.1. Article 28: You Need a Data Processing Agreement
- 2.2. Article 29: Authority of the Controller Clause
- 2.3. Article 30: Records Clause
- 2.4. Article 31: Cooperating with Supervisory Authorities Clause
- 2.5. Article 32: Security of Processing Clause
- 2.6. Article 33: Personal Data Breaches Clause
- 2.7. Article 34: Communicating Data Breaches
- 2.8. Article 35: Data Protection Impact Assessment
- 2.9. Article 36: Prior Consultation Clause
- 3. Summary
A GDPR Data Processing Agreement is a contract that outlines what data controllers need from data processors to remain compliant with the GDPR. These aren't just good business practices. The legislation requires the contract and it also asks controllers to include specific clauses to keep everyone on the same page.
When and Why You Need a Data Processing Agreement
A Data Processing Agreement comes into play whenever a data controller works with a data processor.
The contract outlines what a controller expects from the data processor and your legal obligations according to privacy legislation. As a whole, a Data Processing Agreement outlines a chain of responsibility between the two of you.
The GDPR requires you to use the Data Processing Agreement to outline all responsibilities and liabilities within the legislation.
Why is this so important?
Not only is a Data Processing Agreement referenced specifically in the law, data controllers have an obligation to work with data processors who can provide a guarantee that they are in compliance with the GDPR.
What to Include in Your Data Processing Agreement
The GDPR outlines what types of information impact the controller-processor arrangement need in Article 28 through Article 36. You'll want to add most of these provisions to your Data Processing Agreement.
To see what goes into your DPA, let's break the law down article by article.
Article 28: You Need a Data Processing Agreement
Article 28(3) specifically states that "processing by a processor shall be governed by a contract or other legal act under Union or Member State law."
In addition to mandating a contract, it provides a useful outline of what's required within the contract.
As a rule, the Data Processing Agreement binds the processor to the controller, and the law states that you must stipulate:
- Nature of the processing
- Purpose of the processing
- Types of personal data processed
- Categories of data subjects included
- Obligations and rights of the controller
It then goes on to set for the following requirements:
- Processors may only process data according to documented instructions from the controller
- Processors may only transfer data to a third country with permission unless an EU or Member State law requires them to do so
- Processors must ensure those working with data understand confidentiality or have signed a binding confidentiality agreement
- Processors must follow all essential measures in Article 32
- Processors must seek authorization to hire another processor
- Processors must help controllers comply with Articles 32 to 34
- Processors must provide the measures to allow the controller to respond to exercises in data subject rights
- Processors must agree to delete or return all data when the contract ends
- Processors must agree to provide controllers with everything needed to demonstrate GDPR compliance
We cover all these over the next few sections, so don't worry about them right now.
Before adding in the specific terms that dictate the minute details of your working relationship, you must start the contract by defining that relationship:
- Identify the activities covered by the contract
- Note the nature of the processing
- Provide the scope of the processing
- Share the duration of the processing (start and end date)
- List the data categories to be processed
- Define your data subjects
- Identify whether you will transfer or store data outside the EU
- Write the contract terms
- Outline the conditions of contract termination
To see what this looks like in practice, let's turn to HubSpot's Data Processing Agreement, which it published within the legal section of its website. It covers almost all the clauses discussed above as well as its own terms that are unique to its operations and legal package.
We added HubSpot as an example because the Data Processing Agreement provides an excellent example of the introductory identifying clauses described above.
Under the "Details of the Processing" section Hubspot identifies:
- Categories of data subjects
- Types of personal data
- Type of processing and nature of processing
- Duration of the processing agreement
It doesn't go granular with heavily detailed information, but that's ok. It doesn't need to do so because it works with such a wide variety of clients across a huge swath of industries. However, if you use the Data Processing Agreement as the sole processing agreement with your processor in lieu of any other document, then you should be as specific as possible.
Article 29: Authority of the Controller Clause
Article 29 is short and sweet. It reiterates the importance of the processor following the explicit instructions provided to them by the controller or by a processor that legally hired them.
In other words, if the data controller does not provide for a specific processing activity within the contract, you cannot perform the processing unless you seek explicit approval.
It is worthwhile to add this to your GDPR Data Processing Agreement to reiterate it to processors.
For example, VoluumDSP (Codewise) notes in its Data Processing Agreement that its clients are the data controller and it's the data processor. As such, "Codewise will only Process Personal Data on your behalf and in accordance with your instructions."
Article 30: Records Clause
Article 30 covers an often-overlooked aspect of the GDPR - recordkeeping.
The GDPR wants full records of processing activities for transparency to both regulatory authorities and data subjects. What does Article 30 say you must keep records of?
Data controllers must keep records of the following:
- Contact details of the controller (and joint controller, representatives, and DPO where applicable)
- Description of the purpose of the processing
- List of data subject categories
- List of personal data categories
- List of recipients who received the data
- Any transfers to third countries or international organizations (and safeguards used when applicable)
- Declared time limits for data erasure for each data category
- General description of security measures (both technical and organizational) as described in Article 32
Data processors need to keep records of these details:
- Name and details of the processor
- Name and details of the controller and/or processor that contracted the processor
- List of processing categories prescribed by the controller
- Description of transfers to third countries and international organizations (and safeguards used)
- General description of security measures as described in Article 32
Your Data Processing Agreement should remind the data controllers/processors you hire of the necessity to keep the records listed above.
SEMRush describes its compliant record keeping activities within its Data Processing Agreement.
It simply says that SEMRush, as a processor, will keep the records required of it by the relevant legislation and that those records will be available for proof of compliance and for exercising data subject rights.
Article 31: Cooperating with Supervisory Authorities Clause
Article 31 requires that both data controllers and processors must comply with supervisory authorities when requested.
The article seems simple, but it requires some discussion within your Data Processing Agreement. It doesn't matter whether you are the controller or processor, both of you need to support the other in compliance.
All you need to do is state that you will take the appropriate precautions (such as noting Article 30 and Article 32 elsewhere) and that you agree to help with compliance.
Twitter's Data Processing Agreement provides a helpful example. Twitter says that it agrees to "provide reasonable cooperation and assistance to You in respect of Your Obligations regarding" requests from law enforcement, data breaches, data subject rights, and supervisory authority requests:
Article 32: Security of Processing Clause
Article 32 lays out the security measures processors must take to comply with the GDPR and protect data subjects. The article applies to the controller and processor equally, and it requires you to provide measures that "ensure a level of security appropriate to the risk."
These may include:
- Processes for ensuring resilience, availability, and confidentiality
- Processes for restoring personal data after an incident
- Processes for testing the effectiveness of the above measures
Both the controller and the processor must also ensure that anyone working with the data (or who has access) only processes the data as per the instructions for the controller (as noted in Article 29).
HubSpot lays out its security features in its Data Processing Agreement like this:
Article 33: Personal Data Breaches Clause
Article 33 outlines what the controller must do when it becomes aware of a personal data breach.
To ensure transparency and accountability, data controllers have 72 hours to report security incidents after identifying them. Processors must report any security events to the controller "without undue delay."
When you report the data concern to the supervisory authority, you must include the following information:
- Nature of the personal data breach (include data categories, number of people concerned, and number of records concerned)
- Data controller's DPO details
- Description of the potential consequences of the incident
- Description of measures available or taken to address the issue
Data controllers must also document data breaches and keep the records available for the supervisory authority should they be requested.
If you add details from Article 32 regarding cooperation with supervisory authorities to your Data Processing Agreement, then you have already complied with part of Article 33. Additionally, adhering to Article 31 (security requirements) will also cover you for part of Article 33.
You should still make sure to include a clause that instructs data processors to notify data controllers of any personal data breaches with undue delay.
LinkedIn has a clause in its Data Processing Agreement where it covers all security-related issues, including security measures and notification of personal data breaches.
Article 34: Communicating Data Breaches
If you're a data processor and you experience a data breach, you must report it to:
- The Data Controller
- The supervisory body
- Data subjects (if applicable)
While reporting breaches to the controller and supervisory bodies are non-negotiable, you may not need to report it to data subjects. Article 34 lays out the conditions for telling data subjects as follows:
"When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay."
In some cases, the supervisory authority may require you to report it to customers if you haven't already.
Article 35: Data Protection Impact Assessment
The article requires data controllers and processors to undertake a DPIA when a processing activity is considered high risk. You must complete a DPIA before processing.
What processing activities are included? The GDPR doesn't say, but it does give three scenarios where you might need one:
- When the activity includes automated processing (and profiling)
- When the activity features large scale processing of special categories of data or data related to criminal convictions and offences
- When the activity includes systematic monitoring on a large scale
Your supervisory authority may also add operations to the list that require a DPIA, so you should be sure to check with them before adding a new processing activity.
Because the law largely applies to data processors, you can require the processor/controller to take the initiative to perform the activity when required.
Voluum DSP does just this in its Data Processing Agreement by listing impact assessments as an activity that each party must undertake to comply with the legislation:
Article 36: Prior Consultation Clause
Article 36 follows the DPIA issue raised in Article 35, which referred to reporting to the supervisory authority. It holds that controllers must consult with supervisory authority whenever a DPIA presents a high risk and the controller wants to process the data anyway.
The rest of the clause refers to the process followed when the controller and supervisory authority work together to determine whether the processing can go ahead.
As with Article 35, you do not need to include a clause like this in your Data Processing Agreement. However, if you are the data controller, you must be aware of it and communicate the process with the processor to avoid inadvertently participating in high-risk processing activities.
A GDPR Data Processing Agreement is a mandatory contract that every data controller or data processor needs to have in place when working with another controller or processor.
In it, you need to state precisely what is expected from each party to create a clear chain of responsibility. This will help keep the data processed under the agreement more safe and secure, and will help keep you compliant with the GDPR.
Make sure you aren't processing data or sharing data with processors without having this agreement in place and signed by both parties.