GDPR Data Processing Agreement Template
In the days before the General Data Protection Regulation (GDPR), contracts such as Data Processing Agreements were simpler and maybe even disregarded altogether in some cases. However, these contracts can no longer be overlooked.
If your database contains information from European Union residents, a GDPR Data Processing Agreement will be a legal obligation if you wish to work with any data processing providers.
- 1. What is a GDPR Data Processing Agreement?
- 2. When is a GDPR Data Processing Agreement Necessary?
- 3. What Should a GDPR Data Processing Agreement Include?
- 3.1. Introduction
- 3.2. Definitions
- 3.3. Scope & General Details
- 3.4. Confidentiality
- 3.5. Responsibilities of the Controller
- 3.6. Responsibilities of the Processor
- 3.7. Data Security
- 3.8. Data Transfers
- 3.9. Data Subject Rights
- 3.10. Sub-Processors
- 3.11. Data Retention & Deletion
- 3.12. Audits
- 3.13. Governing Law
- 3.14. Optional Appendices
What is a GDPR Data Processing Agreement?
A GDPR Data Processing Agreement (DPA) is a contract agreed upon by a data controller, and the data processor that handles the controller's consumer data. In case you're not familiar with these terms, here are some general definitions:
- A data controller is an entity that collects consumer personal data in order to fulfill a service or purpose for that consumer. For example, data collected from a customer that's used to process an online order. If you make the decision to collect such information and then collect it, you would be considered the owner or "controller" of that information.
- A data processor is an entity contracted by the data controller to process that data according to specific instructions from the controller.
Under the GDPR, both parties are responsible to uphold privacy law.
The data controller should ensure that the data processor handles personal information with adequate security and GDPR-compliant practices.
A data processor must not process data in a way that violates privacy regulations, even under the instructions of the data controller. In this way, both parties are expected to uphold compliant privacy standards.
A GDPR Data Processing Agreement helps to ensure that both parties understand their responsibilities under applicable privacy laws and both follow through with their legal and professional obligations.
When is a GDPR Data Processing Agreement Necessary?
A GDPR Data Processing Agreement will be necessary any time a data controller hires a data processor to fulfill data processing services.
Here are some common examples of this type of arrangement:
- Marketing analytics services
- Mailing or advertising services
- Customer relationship management (CRM) services
- Customer data platform (CDP) services
While there are many more types of data processing services, these are just a few common examples to illustrate the types of situations that call for a GDPR Data Processing Agreement between both parties.
Furthermore, this is not simply a suggestion. According to GDPR Article 28:
"Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller."
Article 28 then goes to state the following conditions for DPA contracts, in which the processor will be required to:
- Process the consumer data only on documented instructions from the controller
- Agree to keep all personal data confidential
- Implement appropriate measures of security appropriate to the risk
- Request written consent from the controller before engaging the services of another data processor
- Fulfill EU consumer rights wherever possible
- Inform the data controller immediately if their requests or instructions infringe on GDPR policy in any way
- Delete or return all personal information after the contract has ended
- Make available any information necessary for the controller to comply with the GDPR and respond in the case of an audit
These requirements will not only be enforced on companies that are located in the European Union. Any company that collects the personal information (including IP address or geolocation data) of EU residents will be expected to uphold GDPR regulations.
As you can see, a Data Processing Agreement is not only necessary in order for any business to contract data processing services. It is also required and enforceable by law.
What Should a GDPR Data Processing Agreement Include?
Every company and business arrangement is different, and your GDPR Data Processing Agreement may differ according to what type of data processing is involved. However, there are some general clauses that will apply to most situations.
We've outlined some of those most common GDPR Data Processing Agreement clauses below.
First, describe the purpose of the agreement. Name the parties involved and what the GDPR Data Processing Agreement intends to achieve.
You can see an example of a general introduction from the GDPR Data Processing Agreement that HubSpot uses:
Since HubSpot uses this agreement with many different controllers, the intro is very generalized. If you are the controller, you may wish to be more specific and name the exact parties involved in each Data Processing Agreement you establish.
It won't serve anyone's purpose to write a GDPR Data Processing Agreement that no one can understand. Create a definitions section early in the document to define all the legal terms used, especially those terms that are taken from the GDPR.
HubSpot places its definitions section early on. In fact, it's the first item in the DPA's table of contents section:
Scope & General Details
Next you can go into more detail as to who the agreement applies to and which role each party will fulfill.
Name the processor and the controller, as well as what kinds of data will be processed. You may also go into the general activities that the processor will be performing for the controller, as well as the duration of the agreement, if applicable.
DigitalOcean lays out some general details and scope in these paragraphs:
Although DigitalOcean does not delve deeply into the details, it does lay out some general terms and expectations of the business relationship as a whole, including the roles of each party and details about the nature of the data that will be dealt with by both parties.
As the controller, you have a responsibility to ensure the confidentiality of the consumer data in your possession. Any entity that processes your customer data must commit to keep all personal information confidential.
DigitalOcean promises confidentiality in a short and simple paragraph:
Notice that the agreement mentions staff, agents, and subcontractors - a good way to cover all the bases.
Responsibilities of the Controller
The responsibilities of the data controller should be listed clearly so that all parties understand how the business arrangement will work.
The major obligations of the controller should be listed in this section, as CloudMQTT has done here:
Here, CloudMQTT lays out how the controller will provide instructions and what should be included in those instructions, as well as the controller's obligation to uphold data protection laws and consent requirements.
Responsibilities of the Processor
This is another integral part of any GDPR Data Processing Agreement. Before the data controller can hand over consumer data in good faith to a data processor, all of the obligations of the data processor in regard to personal information should be described in detail.
Once again, CloudMQTT provides a good example of how to list out the responsibilities of the data processor:
Note that many of the GDPR's requirements for data processing contracts are included in this list, such as the processor's obligations to follow the instructions of the controller and inform the controller if any of those instructions infringe upon privacy laws. Using GDPR requirements as a guide for this section can be helpful to ensure both parties remain compliant.
Appropriate security measures need to be addressed before any personal information can change hands. A controller cannot transfer consumer data without first receiving assurances that the data processor maintains adequate data security measures appropriate to the risk involved in the data processing activities.
LinkedIn provides data processing services for marketing clients and makes the following statement in their standard DPA:
Since LinkedIn assures the data controller that it takes full responsibility for data security measures during processing activities, the controller can be confident that the blame will not fall on them if a security breach or incident occurs due to LinkedIn's processing services.
If the data processor must transfer or process data outside of the EU, the controller must ensure that the processor is following appropriate GDPR-approved protocols to transfer or store that data.
For this reason, the data processor must describe which certified framework it uses to transfer EU consumer data to other countries.
LinkedIn gives us another appropriate example of this clause:
Data Subject Rights
It's important to establish which party will be responsible for fulfilling EU consumer requests according to their data subject rights. As stated in the GDPR, EU residents are granted eight fundamental rights that data controllers and processors are required to uphold.
- The right of access to a user's own data
- The right to be informed of how consumer data will be used, who it will be shared with, and why
- The right to rectification and the ability to revise or make changes to one's own data
- The right to erasure of a user's own data upon request
- The right to restrict processing, to limit or restrict which personal data is processed and how
- The right to data portability if a consumer wishes to transfer personal information to another company or entity
- The right to object to the collection or processing of personal data at any time
- The right not to be subject to a decision based solely on automated processing
If the controller will remain responsible for granting these consumer rights when requested, this should be stated in the GDPR Data Processing Agreement. The same goes if the responsibility will fall to the data processor. The data controller may also request that the data processor fulfill these requests when appropriate.
In the HubSpot DPA, you can see that the data processor will assist with consumer rights requests if the controller is unable to do so:
While the GDPR does not specify which entity must fulfill consumer rights, it will be necessary to make this designation clear in the Data Processing Agreement.
EU privacy law clearly dictates that no data processor may transfer a controller's customer data to another processor without written consent from the data controller. Therefore, if a data processor does intend to work with sub-processors, this will need to be included as part of the GDPR Data Processing Agreement.
HubSpot also includes this clause in their DPA:
Hubspot is open about its use of sub-processors and provides controllers with further information for each sub-processor it works with in a separate document.
The processor also takes full responsibility for any actions performed by sub-processors and gives the controller the right to monitor and inspect all activities performed by sub-processors upon their own customer data.
All of these points must be made and agreed to before a controller can safely allow a data processor to transfer personal information to other data processors.
Data Retention & Deletion
The GDPR requires that a data processor must delete or return all consumer data after the business arrangement has ended. Therefore, some mention must be made as to the data processor's retention of consumer data and what will happen to the data upon termination of the project or contract.
This may be stated as simply as it is written in the LinkedIn DPA:
The data controller has the right to audit the data processor's activities in order to ensure proper security, confidentiality, and data protection measures. It is important to include this point in the GDPR Data Processing Agreement as a reminder to the data processor that audits are a part of the business arrangement.
DigitalOcean, as a data processor, agrees to the performance of audits in this clause of its DPA:
Although it agrees to the performance of audits, DigitalOcean does request that audits be performed no more than once per year. Details like this are to be arranged at the discretion of the different parties in each working relationship.
Finally, a statement about governing law is necessary in almost any kind of contract. This is simply a declaration of which geographic region will be considered the governing law of any disputes that may arise between the two parties.
Here 's an example of such a clause from LinkedIn:
Because of this inclusion, any disputes that arise between LinkedIn and data controllers will need to be resolved under Irish jurisdiction according to Irish law.
Appendices are subsections outside of the main body of the contract that include other relevant details, such as a list of sub-processors or a description of processor security protocols.
CloudMQTT includes the controller's specific instructions and expectations in one appendix of its DPA:
The company also goes on to include a separate appendix that details the stringent security measures the processor uses to ensure data protection:
Sections likes these depend entirely on the different parameters required by the unique working relationship that is established between each data controller and processor. Some other topics that can be addressed in appendices include:
- Sub-processors - A list of third-party data processors and how they will be processing the controller's consumer data
- Integrity - Assurances that the data processor has safeguards in place to protect personal data when it is transferred from the controller to the processor
- Sensitive data - If the data processing activities include sensitive categories of data, such as race, religion, sexual orientation, etc., it will need to be established which sensitive categories of data are being processed, why they are being processed, and under what legal basis
Although the Data GDPR Processing Agreement you ultimately agree upon may differ from those examples above, if you include the main clauses named above and address GDPR requirements throughout the document, your DPA should serve its ultimate purpose of protecting consumer data throughout all aspects of a data processing arrangement.
Once a comprehensive GDPR Data Processing Agreement has been agreed upon, both the data controller and the processor can rest assured that they are complying with international privacy laws and protecting consumer rights.