What is a Data Processing Agreement (DPA)?

And why do you need one?

A Data Processing Agreement (DPA) is a contract between a company and its vendor. It regulates how businesses handle personal data, and is mandatory under GDPR.

When you collect personal data, you are a "Data Controller" and you decide what to do with these data. Let's say you want to use a CRM tool like Hubspot. You need to send Hubspot your customers' personal data like email addresses and names. In return, Hubspot is processing these personal data for you. It's your "Data Processor" under GDPR.

So a Data Processing Agreement (DPA) binds the Data Processor and the Data Controller. It sets rules on how both parties should handle personal data. A DPA typically covers:

  1. General information. This can include the nature of the processing activities, the duration, data types, terms of contract termination, etc.
  2. Responsibilities of the Data Controller. The controller instructs how the processors should handle your data.
  3. Responsibilities of the Data Processor. The processor must follow the security instructions from the Data Controller and GDPR, including data security protocols, data breach reporting, deletion or returning of data, etc.
  4. Data Protection Measures. Data processors should also set up security measures to ensure data security.

Who needs a DPA?

Under GDPR, any businesses processing personal data of EU residents must have a DPA. That is, an agreement must be in place between the Data Processor and the Data Controller.

Let’s say you are building a product like MailChimp, an email marketing service. You receive names and email addresses from your customers (as Data Controller). You then handle these personal data as a Data Processor and send out emails. In this case, you need to sign a DPA with each of these customers.

Now in B2B, it’s very likely that you have a dual role - both as a Data Processor and a Data Controller. Say you use AWS to host these email addresses. Because you are sending personal data to another business now, you are the Data Controller, and AWS is your Data Processor. In other words, AWS will be your customers' Subprocessor.

As a business, you will need to:

  1. sign a DPA with each of your customers - as Data Processor
  2. sign a DPA with all your processors (or subprocessors for your customers) - as Data Controller

Creating a DPA as a service provider (Data Processor)

You should prepare a DPA template to sign with your customers (Data Controller). Your customers can also ask to add special instructions to protect their customers' data.

At ZenDPA, we created a DPA generator to help you draft a Data Processing Agreement for free. It's compliant with EU's latest regulations, as well as UK GDPR and Swiss Federal Act on Data Protection. Answer a simple questionnaire, and you will receive your customized DPA template within 24 hours.