Data Processing Agreement (DPA)

August 13 09:12 2019 Print This Article

It’s practically not possible to run a business without processing personal data and exchanging it with other businesses. It may be website analytics software, cloud storage, CRM or marketing platform, and whether you are controller, processor, sub-processor or joint controller, you have to construct a lawful Data Processing Arrangement (DPA) with the party you exchange personal information. 

GDPR does not have legal restrictions on the form of the Data Processing Agreement, however, there are standard contractual clauses widely used by EU companies. Considering the complexity of the task, it’s advisable to have a data processing agreement as a separate document. 

Do I need to have a Data Processing Agreement?

If you exchange personal data with other parties, you should have a Data Processing Agreement in place. Articles 28 through 36 of the GDPR cover the requirements for data processing and data processing agreements. Let’s have a look at a bit more specific responsibilities of different roles. 


 The controller is responsible for establishing a lawful data process and observing the rights of data subjects. The controller defines the way how data processing takes place and at what conditions. The controller must have a data processing agreement with its processors. Example:Company A collects itself customer data and stores it in an online SaaS CRM system provided by company B. In such a case, company A is controller and company B is a processor.×Dismiss alert


The data processor should handle the data exclusively in the manner demanded by the controller.  Processor must have adequate information security in place, shouldn’t use sub-processors without the knowledge and consent of the controller, must cooperate with the authorities in the event of an enquiry, must report data breaches to the controller as soon as they become aware of them, must give the data controller the opportunity to carry out audits examining their GDPR compliance, must help the controller to comply with data subjects’ rights, must assist the data controller in managing the consequences of data breaches, must delete or return all personal data at the end of the contract at the choice of the controller, and must inform the controller if the processing instructions infringe GDPR. 


 Sub-processor performs data processing on behalf of the processor. Data processors should have a data processing agreement with any sub-processors they use. The processor shouldn’t engage sub-processors without the prior consent of the controller.Example:Company B provides an online SaaS CRM system, which is hosted on a platform of company C. As company B is the processor, company C is deemed as sub-processor.×Dismiss alert

Joint Controller

 Article 26 defines joint controllers as two or more controllers jointly determining the purposes and means of processing. Regardless of those arrangements, each controller remains responsible for complying with all the obligations of controllers under the GDPR. Joint controllers are not required to have a contract, but you must have a transparent arrangement that sets out your agreed roles and responsibilities. Such information should be available to data subjects.Example:A travel agency collects some portion of customer’s personal information (name and email) to book a hotel, then hotel collects the rest of information (address, verifies ID, etc). As both perform a part of the same process, they are joint controllers..×Dismiss alert

 What should be included in a data processing agreement?

Articles 28 through 36 of GDPR set conditions of data exchange and conditions of personal data between controller and processors. Here are the most important subjects you have to cover in your data processing agreement.

  • Personal information processed under the contract
  • For how long that information will be processed and when it should be deleted or anonymised
  • Reasons and legal basis of personal data processing
  • The rights and responsibilities of the data controller and processor
  • The processor must act in accordance with written instructions of the controller
  • Confidentiality of processed personal data
  • Obligation to have adequate information security in place, technical and organisational measures to be met
  • The requirement to use sub-processors only with the data controller’s knowledge and consent. The processor must provide a list of sub-processors for controller’s approval.
  • Processors have to report data breaches to the controller as soon as they become aware of them, without undue delay
  • The processor should allow the data controller to carry out audits examining their compliance
  • Cooperation of controller and processor for the purpose of resolving subject access requests
  • Cooperation of controller and processor for the purpose of protecting the rights and privacy of data subjects
  • Data processors should assist data controllers in data protection impact assessments where applicable
  • Data processors should delete or return the personal information after the end of the contract at the choice of controller
  • If required by GDPR, the data processor shall appoint a Data Protection Officer
  • The data processor shall keep records of processing activities
  • The processor must inform the controller if the processing instructions infringe GDPR
  • Procedures of periodic review

This article was originally posted here:

  Article "tagged" as:
view more articles

About Article Author

write a comment


No Comments Yet!

You can be the one to start a conversation.

Add a Comment