And why do you need one?
A Data Processing Agreement (DPA) is a contract between a company and its vendor. It regulates how businesses handle personal data, and is mandatory under GDPR.
When you collect personal data, you are a "Data Controller" and you decide what to do with these data. Let's say you want to use a CRM tool like Hubspot. You need to send Hubspot your customers' personal data like email addresses and names. In return, Hubspot is processing these personal data for you. It's your "Data Processor" under GDPR.
So a Data Processing Agreement (DPA) binds the Data Processor and the Data Controller. It sets rules on how both parties should handle personal data. A DPA typically covers:
Under GDPR, any businesses processing personal data of EU residents must have a DPA. That is, an agreement must be in place between the Data Processor and the Data Controller.
Let’s say you are building a product like MailChimp, an email marketing service. You receive names and email addresses from your customers (as Data Controller). You then handle these personal data as a Data Processor and send out emails. In this case, you need to sign a DPA with each of these customers.
Now in B2B, it’s very likely that you have a dual role - both as a Data Processor and a Data Controller. Say you use AWS to host these email addresses. Because you are sending personal data to another business now, you are the Data Controller, and AWS is your Data Processor. In other words, AWS will be your customers' Subprocessor.
As a business, you will need to:
You should prepare a DPA template to sign with your customers (Data Controller). Your customers can also ask to add special instructions to protect their customers' data.
At ZenDPA, we created a DPA generator to help you draft a Data Processing Agreement for free. It's compliant with EU's latest regulations, as well as UK GDPR and Swiss Federal Act on Data Protection. Answer a simple questionnaire, and you will receive your customized DPA template within 24 hours.