Knowledge - 09 June 2021 | By TermsHub

Updated at: 09 December 2021

What is Data Processing Agreement (DPA): The Essential Guide

What is Data Processing Agreement (DPA): The Essential Guide

Data is crucial in most companies as these serve as a basis for internal and external activities. As they are very susceptible to breach that may threaten the business and other third-party attacks, the company must have strong security measures while adhering to the guidelines of the General Data Protection Regulation (GDPR). One of the ways to impose security measures is through the signing of a Data Processing Agreement (DPA).

Definition of Data Processing Agreement (DPA)

Personal data include but are not limited to the individual’s name, area of residence, age, date, of birth, and contact information. GDPR is the legislative framework aiming to establish standards for collecting and managing these data through DPA signing.

Data Processing Agreement (DPA) is a legal contract between the data controller and data processor guaranteeing that the data processor will appropriately handle the data provided by the data controller under the rules of GDPR. This states the liabilities and obligations of both the data controller and data processor, the purpose and the extent of data processing, and the relationship between the aforementioned parties.

This may or may not be separate from the primary contract. However, it is a good idea to make it a supplementary document or annex to the primary contract due to its intricacy.

Furthermore, a DPA must be signed if the data processor intends to redistribute to another entity, or the sub-processor, the consumer data. This is to ensure that the entity they chose to work with can provide safe and secure data processing.


All business entities collect and process data as well as exchange these data with other parties. Because of this, DPA needs to be accomplished to ensure that there will be no misuse of personal data. Suppose the data controller shares personal information from an outside source, for instance, an entity that is not part of the European Union (EU). In that case, it is vital that this external source processes data in compliance with the GDPR, which can be done by letting them sign a DPA.

Failure to accomplish DPA may lead to data breach and misuse, posing threats to both the company and the individual who owns the data to be processed.

As the data controller, if you operated under the GDPR and signed the DPA and the third-party entity with whom the data processor shared the personal information happened to mishandle the data, you are offered legal protection through the DPA. This leaves the data processor responsible for the consequences incurred as they failed to follow the procedures.

On the other hand, if you failed to sign the DPA as the data controller, you are held liable for the misuse of data as you didn’t take appropriate data security precautions.

Consequences of both these situations include loss of trust from clients as you leak their personal information and paying a fine according to the guidelines set by the GDPR, depending on the degree and kind of infraction.

When is it necessary to sign a DPA?

The signing of a DPA is a necessity whenever you require another entity to process the data you have obtained as the data controller. It guarantees that both parties will do their tasks under the rules of GDPR to avoid a possible data breach in the future and other anomalies that may endanger the consumer’s personal information.

Is there a need for processors to sign a DPA with their sub-processors?

Sub-processors are entities contracted by the data processor to process the data provided by the data controller. If the data processor utilizes a sub-processor, they must sign a DPA with their sub-processor to safeguard the data that will be processed along with them.

Definition of data processing

Data processing entails collecting, organizing, sorting, monetizing, and deleting the client’s personal information. This also includes any other actions performed in handling the data which are not mentioned. Since the data to be processed is delicate, the data controller and data processor must adhere to the guidelines of GDPR during data processing.

Who is the data controller?

The data controller obtains, collects, and gathers personal information from the consumers. Along with this, they have the responsibility of ensuring that the rights of these citizens are protected and respected. Moreover, they need to provide instructions for the data processing procedures as well as the conditions to be followed by the data processor.

Who is the data processor?

The data processor, also known as the data importer, handles the data obtained by the data controller. They are only permitted to perform and process the personal information that the contract with the data controller allows them. Moreover, the data processor has no right to use sub-processors without prior consultation and consent from the data controller. Duties and obligations of the data processor consist of, but are not limited to the following:

– Return or destroy the processed data to the data controller when their duties are no longer required depending on the preference of the data controller.

– Inform potential data breaches to the data controller as soon as possible.

– Be held liable along with the data controller in the event of a data breach.

– Notify the data controller of the violations in the GDPR upon the data processing.

– Maintain the rights of the clients along with the data controller.

– Allow the data controller to conduct GDPR compliance audits.

A few data processors utilize sub-processors that assist in processing the data, following the GDPR rules and regulations. As mentioned above, the data processor is prohibited from using sub-processors without the authorization and approval of the data controller.

What should a DPA include?

The DPA has no specific format though its content should cover Articles 28 (Processor) throughout Article 36 (Prior Consultation) of the GDPR. In most countries, DPA is not legally required but strongly recommended in contrast with European countries that legally require DPA.

Signing a DPA before the data processing is crucial so that both parties recognize their roles and obligations. Furthermore, it will protect the business entity and the welfare of the consumers who shared their data.

The sections that must be included and stated in the DPA are the following:

  • General Clauses
  • Obligations of the Data Controllers
  • Obligations of the Data Processors
  • Technical and Organizational Measures
  • Sub-contractual Relationships
  • Final Clauses
  • Annexes

The General clauses section includes the terms and conditions of the contract upon the agreement of both parties. This shall entail all the activities required to process the data to be provided by you (the data controller), the owner of the data to be processed, for instance, patients, insurance clients, and employees, the type of data to be processed, for example, demographic information or IP addresses, and the conditions for the termination of the contract.

The Obligations of the data controllers section shall include all the duties and responsibilities of the data controller according to Article 24 of the GDPR, which are as follows:

  • The data controller shall practice technical and organizational measures in the data processing to ensure that all operations comply with the GDPR. This shall include but is not limited to the implementing measures for data protection guidelines to secure the citizen’s rights.
  • The data controller shall provide the data processors the directives the latter shall strictly adhere to regarding the processing of data.

Meanwhile, the Obligations of the data processor section that shall be entailed in the DPA as stated in Section III of Article 28 (Processor) of the GDPR as follows:

  • The data processer shall only perform processing of the data and other essential operations related to it upon the consent of the data controller. Given this, they are strictly prohibited from using personal information outside the demands of the data controller.
  • All the personnel tasked to handle the data should commit and uphold confidentiality.
  • The data processors shall practice security measures under Article 32 (Security of Processing) of the GDPR.
  • As stated in Sections II and IV of Article 28 (Processor), the data processor is forbidden to use sub-processors without prior consultation with the data controller as well as without the data controller’s authorization.
  • The data processor shall assist the data controller in upholding their obligations adhering to the GDPR, such as securing the data rights.
  • The data processor shall assist the data controller with regards to Article 32 (Security of Processing of the Data) and Article 36 (Prior Consultation) of the GDPR.
  • At the end of the contract, the data processor is compelled to delete or return, depending on the data controller’s choice, all the processed data.
  • The data processor must submit to the data controller if the latter wishes to conduct audits and inspections to check if the former adheres to the agreements in the DPA and operates according to the rules of the GDPR.

The Technical and organizational measures section shall include all the precautionary and security measures the data controller shall execute in handling the personal data to avoid third-party attacks and data breaches. It is recommended to include this section in the annex of the contract. According to Article 32 of the GDPR or the Security of Processing, the measures that should be implemented are as follows:

  • Encryption and pseudonymization of the personal information obtained shall be employed.
  • Confidentiality, integrity, availability, and resilience shall be maintained during the processing of data.
  • In the case of physical or technical issues, the personal data shall be quickly restored.
  • There shall be a procedure for testing, measuring, and evaluating the efficacy of the current technical and organizational measures regularly to guarantee the security of the processing of data.

The Sub-contractual relationships section would include the terms and conditions if the processor opted to use a sub- processer in the processing of the data. It is recommended to include the list of the sub-processors in the annex of the contract. This section shall include the following obligations:

  • Prior to engaging with sub-processors, the data processor shall first acquire authorization from the data controller.
  • The data controller is in charge of checking if the sub-processor operates under the GDPR.
  • The processor-sub processor contract shall have an equivalent degree of data protection offered by the DPA between the data processor and data controller.

The Final clauses section consists of other necessary information and shall state that both parties must agree to any modifications of the contract.

Lastly, the annexes section shall include the contractual agreements such as the technical and organizational measures and a list of sub-processors.

Fines for non-compliance with the DPA

Authorities levy fines and penalties to entities, be it small-scale or large-scale, who failed to secure or violate a DPA. There are two levels of penalties depending on the extent and type of offense. GDPR guidelines for data processor infractions which generally come under the first tier, impose €10 million or 2% of the company’s global revenue. For other violations, these can range up to €20 million or 4% of the company’s global revenue.