A data processing agreement (DPA) is an agreement that regulates personal data processing conducted for business purposes.

Data processing includes any operation where data is collected, stored, recorded, organized, translated, communicated, or any other activity that processes personal data. Companies often hire third-party service providers to process and analyze data.

A DPA agreement is a legal document between the company and the third-party data processor that determines how the data is processed. A DPA sets requirements and conditions for how data is used, accessed, stored, processed, and protected. Any data identifying the person whose data is processed is subject to the DPA.

Are DPAs legally required?

A DPA is critical to data privacy compliance under multiple laws worldwide. For example, DPAs are a legal requirement in Europe under the General Data Protection Regulation (GDPR). 

GDPR is a privacy and security law that applies to any organization that targets or collects data related to people in the European Union. The DPA is a critical component of GDPR compliance and ensures a data processor handles data per GDPR guidelines. 

A DPA is valid either as a written agreement or in electronic form. A DPA is a legally binding document, and the data controller and processor must follow the contractual agreement or risk severe penalties.

Many data privacy laws worldwide require DPAs, but DPAs are not always a legal requirement. However, many industries and countries recommend DPAs to protect an organization’s data. 

Data privacy laws that require DPAs

While the GDPR popularized the data privacy law and requirement of DPAs, the following data protection laws also mandate DPAs:

  • Data Protection Act U.K.
  • California Consumer Privacy Act
  • Virginia Consumer Data Privacy Act
  • Brazil General Data Protection Law
  • Thailand Personal Data Protection Act
  • UAE Personal Data Protection Act
  • South African Protection of Personal Information Act
  • Colorado Privacy Act
  • Connecticut Personal Data Privacy and Online Monitoring Act
  • Utah Consumer Privacy Act
  • Dubai Personal Data Protection Act

Why are DPAs important?

Data is one of the most valuable assets of an organization, but most businesses rely on third parties to process personal data. DPAs ensure the appropriate security measures are in place to prevent potential data breaches, hacks, and abuse when a business entrusts its data to a third party. 

For example, suppose a company decides to outsource its data processing activities to an outside cloud service provider. The company and the outsourced cloud service provider would sign a DPA, which guarantees the third-party processor complies with data protection laws and prevents security incidents when processing the company’s data. 

DPAs are critical in maintaining global compliance, securing data, and protecting employers, employees, and customers.

Who signs a DPA?

The data controller and data processor must sign the DPA to maintain compliance with data privacy laws. The data controller and data processor must always work together to ensure maximum security for the data.  

Data controller

A data controller is the person or company that owns the data. The data controller hires a third party and provides access to process its data. For example, if a company hires a service provider to perform a data backup, the company in this scenario is the data controller.

Data processor

The data processor is a third-party service provider that processes data. The data processor processes data for the controller and must comply with the DPA terms. Looking back at the example above, the service provider performing the data backup is the data processor.

What are the key clauses of a DPA?

A DPA typically includes the following key clauses:

  • Scope and purpose of data processing
  • Subject and type of data that is processed
  • Definition of terms
  • Technical and organizational requirements
  • How the data is protected
  • Duration of the DPA
  • Responsibilities and rights of the processor 
  • Responsibilities and rights of the controller
  • Rights of individuals for their personal data
  • How compliance is maintained
  • Security measures for violating the DPA
  • Terms of contract termination

Still, specific contractual obligations vary depending on the data privacy act, organization, and country. 

Before a company signs a data processing agreement, it must verify the processor’s qualifications to store, process, and protect data adequately. A company must also ensure the DPA follows all applicable data privacy laws and meets the following standards:

  • Explicitly outlines how the processor can use the data
  • Ensures the processor can protect the data and quickly respond if issues arise
  • Verifies the scope of the data collection falls within the legal basis for processing data
  • Plans for international data transfers

Penalties for failing to sign a DPA

If a data processor mishandles data and a DPA is not signed, the data controller is liable for the data breach because they did not take adequate measures to ensure data protection. Failure to sign a DPA leads to severe penalties and consequences, including the following:

  • Hefty non-compliance fines
  • Damage compensation to data subjects
  • Imprisonment
  • Possible equitable remedies
  • Losing trust in customers
  • Reputational damage

For example, under the GDPR, penalties for non-compliance can result in fines between €10 million and €24 million or between 2% and 4% of annual global turnover, whichever is higher. Additionally, the penalty for violating the South African Protection of Personal Information Act is up to 10 years in prison. 

What happens if a security breach occurs?

The data processor must inform the data controller if a data security breach occurs. The data processor must not withhold information under any circumstances. It should also assist the data controller in subsequent data protection, perform an impact assessment, and cooperate with authorities if an audit occurs.

Under the GDPR, a data protection officer is appointed to the data processor to ensure they follow proper procedures in the event of a security breach.

Companies should seek legal counsel to ensure they have accurate and appropriate DPAs and are up-to-date and compliant with all relevant and local data privacy laws.


Legal Disclaimer: The information available in this guide does not, and is not intended to, constitute legal advice and is for general informational purposes only. You should contact your attorney to obtain legal advice with respect to any particular legal matter. Only your individual attorney can provide assurances that the information contained in this guide—and your interpretation of it—is applicable or appropriate to your particular situation. All liability with respect to actions taken or not taken based on the information in this guide is hereby expressly disclaimed. The content in this guide is provided "as is," and no representations are made that the content is error-free.



Related resources

A small legal team sitting in a conference room discussing international business law and considerations for expanding their business abroad

International Business Law: Understanding the Legal Aspects of Doing Business Abroad

Navigating international business law is one of the most challenging aspects of global expansion
Read this Blog
Hello Yellow case study
Case Study

Hello Yellow: Quickly and Compliantly Expanding Into New Markets

Discover how we helped Hello Yellow streamline global hiring and onboarding.
Read this Case Study
The Burj Khalifa skyscraper and surrounding skyline at sunset in Dubai, United Arab Erimates

What Is a W-8BEN Form? Complete Guide for U.S. Employers

In today's world of work, having a skilled workforce can mean tapping into talent pools across
Read this Blog