A plan that says how a company keeps people’s personal info safe and uses it the right way.
A Data Processing Agreement (DPA), also known as a Data Processing Addendum, is a contract between a company and an outside service provider that handles personal data for the company. The goal is to protect individual privacy rights by laying out the responsibilities of both the service provider, known as the “Data Processor,” and the company, known as the “Data Controller.” A DPA helps ensure that both the data controller and the data processor follow all relevant data protection laws, such as the EU’s General Data Protection Regulation (GDPR). It specifies, among other things, what and how data will be processed, and for what reasons, as well as security measures for protecting data and procedures to follow in the event of a breach.
A Data Processing Agreement, or DPA, is a contract between your company and any outside service that handles your customers’ personal information or personal data. The DPA makes sure that the service uses the data safely and legally. It’s important to have a DPA in place whenever you work with a cloud storage service, payment processing service, or any other service that touches sensitive customer data.
What is a DPA?
A DPA is a legally binding contract between your company, called the “data controller,” and a third-party service provider, called the “data processor.” Examples of a data processor could be a payment processor, a cloud storage provider, or an analytics service to name a few. But those are just a few examples. Essentially any company can see or access data about your consumers would be considered a data processor.
Example: E-commerce and web hosting
Let’s say QuickShop, an e-commerce company, uses WebHost, a cloud service provider, to host QuickShop’s website and handle payments. QuickShop is the “data controller” and WebHost is the “data processor”. WebHost is considered a “data processor” because it handles data about QuickShop’s customers including their names, addresses, and payment details. A DPA between QuickShop and WebHost would cover WebHost’s obligations to protect this customer data.
How a DPA Protects Customer Data
A DPA sets forth the rules for protecting personal data, and helps make sure that the data processor follows your company’s instructions and follows data protection laws. Examples of data protection laws could be Europe’s GDPR (short for “General Data Protection Regulation”) or California’s CCPA (short for California Consumer Privacy Act). Your DPA outlines the specific terms under which the processor will work with your data. These terms include the nature and purpose of the processing, the types of personal data involved, and the duration of the processing activities.
Key Components of a DPA
A DPA needs to cover several points:
- Scope and Purpose of Data Processing: Clearly define the scope and purpose of data processing, specifying the types of personal data involved and the reasons for processing. This includes detailing the categories of data subjects and the specific data elements being processed.
- Duration of the Agreement: State when the data processing will start and when it will end. It should also say when you can terminate the agreement.
- Data Security Measures: Include robust data security measures and confidentiality obligations. This should cover encryption, access controls, and regular security audits to ensure the data is protected against unauthorized access, alteration, or destruction.
- Rights of Data Subjects: Set forth your customers’ rights, including the right to access, rectify, or erase their personal data. Establish procedures for handling data subject requests and ensuring compliance with data protection laws.
- Data Breach Procedures: Establish procedures for handling data breaches, including prompt notification to you, the data controller and to relevant authorities and steps to mitigate the impact of the breach.
- Use of Sub-processors: Govern the use of sub-processors by requiring the data processor to obtain prior written consent from the data controller before engaging any sub-processors. Ensure that sub-processors are bound by the same data protection obligations as the primary data processor.
- Liability and Indemnification: Include clauses addressing liability and indemnification to protect your company from potential legal and financial repercussions from data breaches or non-compliance by the data processor.
- Audit Rights: Make sure the DPA give you, the data controller, the right to conduct audits and inspections of the data processor’s facilities and practices to ensure compliance with the DPA and applicable laws.
Why Your Company (Probably) Needs a DPA
A DPA helps you ensure legal compliance with data protection regulations, manages potential risks associated with data breaches or non-compliance, and helps demonstrate your commitment to data protection. A DPA builds trust with your customers and strengthens your brand reputation. Additionally, a well-crafted DPA can provide a clear framework for managing data processing activities, reducing the likelihood of misunderstandings or disputes between your company and a data processor.
Tips for Drafting and Negotiating DPAs
When creating or negotiating a DPA, focus on specificity and clarity. The agreement should clearly describe the scope of data processing and the responsibilities of each party. Focus on robust data security measures and breach notification procedures to mitigate potential risks. Consider jurisdiction-specific requirements when tailoring your DPAs, as data protection laws vary across regions. To ensure your DPA is comprehensive and legally sound, seek guidance from experienced legal professionals. Additionally, involve your commercial and procurement teams negotiating to align the DPA with your company’s overall business objectives and risk management strategies.
How to Avoid Common Pitfalls with DPAs
As explained above, there are a lot of moving parts to a strong DPA and so lots that can go wrong if you are not careful in drafting to ensure all the important issues are covered.
First and foremost, it’s crucial to use clear definitions, especially regarding what data can be processed and how exactly a data processor will process the data, and what the processor can and can’t do.
Second, the DPA needs to cover what happens in case of a data breach. Data breaches are an unfortunate fact of life for businesses, and your DPA needs to specify the exact steps to be followed in the event of a breach.
Third, following up on “what happens if something goes wrong,” one common problem with DPAs is when they don’t make clear who will cover damages and legal fees when something goes wrong, and you wind up in a lawsuit. Your DPA needs to specify when and how the data processor will cover damages, legal fees, and costs.
Fourth, the DPA needs to cover how to handle things after an agreement is terminated. Not every business relationship lasts forever. Another common problem with DPAs is when they don’t specify exactly how data will be handled after a company parts ways with a data processor. It’s crucial to set this all up in advance. If you are parting ways with a processor, there may likely be other problems with the business relationship. Don’t add to your troubles by leaving until the end of the relationship to negotiate all the steps in protecting your customer data.
Informational Resources about DPAs
Law Insider provides informational resources about contract drafting. To learn relevant contract insights from industry experts and attorneys, enjoy these free resources.
Tags: Contract, data processing agreement, dpa, template, sample dpa