Introduction

In this article we’ve got all the ins and outs you could ever need when it comes to DPAs – Data Processing Agreements. 

If you have any experience trying to figure these contracts out – you probably feel totally and utterly confused! 

All this talk about ‘data processors’ and ‘data controllers’ and GDPR isn’t exactly a walk in the park!

But have no fear! We’re here to lead the way and guide you through the process step-by-step with our 2022 ultimate guide to DPA Agreements. 

We’ll break down the meaning of all that legal language so you can feel confident when it comes to reading, understanding and signing these technical agreements.  

We’re going to explain what DPAs are all about:

• What is a DPA agreement – why you need them and when you need them
• What is a data controller and data processor (with plenty of examples!)
• What is the GDPR and what does it have to do with DPAs
• What constitutes personal data
• What your DPA should cover in order to meet the requirements of the GDPR
• Our Top 5 terms to include in your DPA agreement

Sound good? Let’s get into it!

DPA Agreement Meaning – What is a DPA?

DPAs are all about protecting the data you collect from your customers.

The typical definition for a DPA looks something like this:

A DPA is an agreement between the data “controller” (you) and your data processors. The DPA regulates the scope and purpose of data processing, and the relationship between your organization and your data processors.

But what does that actually mean?!

In order to explain what DPA agreements are all about, I’m going to take you the following 5 steps.

1. What is ‘data processing?’

Data processing refers to any of the following activities – collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, using, disclosing, transmitting, erasing or destroying data, or making that data available to another company.

2. What is a ‘data controller’ and ‘data processor’? 

A ‘data controller’ simply means a company that collects personal data from customers or other individuals for the purpose of fulfilling a service for those customers.

A ‘data processor’ is a company that is hired by the data controller to process that data according to the controller’s instructions. 

Examples of Data Controller – Data Processor Relationships

Example 1

Let’s say a gym is running a special promotional event and hires a printing company to produce some invitations. The gym provides the printing company with the names and addresses of the current members in its database. 

By using the information to send out the invitations, the printing company is processing the gym’s data received from its customers.

Therefore the gym is considered the controller of the personal information that is used to send the invitations. 

Example 2

As an online business, you probably use Google Analytics alongside other marketing tech tools to analyze your customer data.

While you, as the data controller, determine why and how their information is processed, these tools simply collect, analyze, and present the data for you.

By doing these activities they become your data processor. 

Example 3

While the business who hires employees is considered a data controller, any third party accounting service or accounting software like Xero, is considered a data processor as they store and utilize your employee data, such as their bank and contact details.

Remember, neither the data processor nor the data controller owns the personal data. That data will always belong to your customers.

3. When is a data processing agreement required

Let’s get into some more specific examples of when you need a DPA:

• Transferring personal data to a cloud provider 
• Outsourcing the collecting, organizing, storing, adapting, altering, disclosing, or erasing of personal data
• Using a marketing analytics service
• Using mailing or advertising services
• Using customer relationship management (CRM) services  
• Using customer data platform services       
• Collecting data from users on a website, then using a third-party processor to manage some aspect of your business strategy    
• Using a third-party service to process online payments 

4. What are the responsibilities of the data controller and data processor

As the data controller, you may decide:

• To collect the personal information of your customers, site visitors, and other targets.  
• What to collect.
• To change or modify the data that you get.
• Where and how to use the data and towards what purpose.
• Whether to keep the data in-house or to share it with third parties.  You also figure out who to share the data with.
• How long the data is kept, and when to dispose of it.

The data processor must only carry out the actual processing of the data under the specific instructions of the data controller.

You may instruct your data processor to:

• Design, create, and implement IT processes and systems that would enable the data controller to gather personal data.
• Use tools and strategies to gather personal data.
• Implement security measures that would safeguard personal data.
• Store personal data gathered by the data controller.
• Transfer data from the data controller to another organization and vice versa.

5. So…what actually is a DPA?

Data Processing Agreement is simply the contract that governs the relationship between these two companies. In the above example that would be between the gym and the printing company.

Now here’s where things can get confusing. The same organization can be either a controller or a processor, depending on the circumstances, and both parties can be data controllers. 

Bottom line: if you deal with personal data – you need a DPA.

What constitutes personal data?

The term “personal data” includes: 

• Contact data
• Key contract data
• Customer history
• Billing, invoicing, and payments data
• Data related to customer behavior within the product (including user events and properties)
• Data related to communication (email and other messages) between you and your end users
• Aggregated data and analytics gained by processing any of the above data categories
• Other customer and end-user data required for fulfilling the purpose of your service

What is the GDPR and what does it have to do with DPAs?

The General Data Protection Regulation (GDPR) is a framework of laws created to protect the data and privacy of citizens of the European Union. 

The GDPR governs the use of personal data belonging to EU citizens, and the transfer of that personal data outside of Europe. 

This means that if your organization does business with customers who are residents of the European Union, you’re bound by GDPR guidelines and regulations regardless of where you do business. 

The regulations contained within the GDPR cover how the personal data of EU citizens must be stored, processed, used, and exchanged. 

The DPA is an assurance that your data processor and any subcontractor they might use protects the privacy of the personal data you’ve collected from your customers, to the extent required by the GDPR. 

What should a DPA include?

The DPA needs to cover the purpose of the agreement, the names of parties involved, and what the agreement will achieve. 

The DPA should include a full list of definitions, including all relevant terms, especially those taken from the GDPR. 

The DPA must go into detail on who the agreement applies to and each party’s role in the relationship as well as what types of data will be processed. 

You can also go into the general activities your data processor will perform as well as the duration of the agreement. 

The DPA must state how you will satisfy the requirements of the GDPR. Including which certified framework your data processor will use to transfer EU personal data to other countries.

Top 5 terms to include in your DPA

1. Data controller responsibilities

Your responsibilities as data controller should be listed so all parties understand how the business arrangement will work.

2. Data processor responsibilities

Before transferring your customer data to a data processor, the data processor’s obligations regarding personal information should be described in detail. 

3. Data Security

Security needs to be addressed before any personal information can change hands. You cannot transfer customer data without first receiving the proper assurances that your data processor’s security measures reflect the risk involved in the data processing activities. 

4. Sub-processors

 A data processor may not transfer customer data to another processor without written consent from the data controller. Therefore, if a data processor plans to use subcontractors, this needs to be included as part of the GDPR Data Processing Agreement. 

5. Data retention and deletion

The GDPR requires that data processors delete or return all consumer data after the business arrangement has ended. Therefore, the DPA should state what will happen to the data upon termination of the project or contract. 

Conclusion

Phew! We’re done – and we’ve covered a lot!

There’s a lot involved in a DPA, but hopefully you now understand the question ‘what is a data processing agreement’ and feel more comfortable reviewing your DPAs!

We’ve shown you what DPAs are all about, what data controllers and data processors are, why you need to care about the GDPR, what constitutes personal data, what your DPA should cover in order to meet the requirements of the GDPR and our top 5 terms to include in your DPA!

Still feel like you need help tackling those DPAs?

We know how important it is to meet those regulatory requirements for your tech company and to protect your customers’ personal data. 

At Superlegal, we help you speed up your contracts faster and cheaper than any lawyer. 

So that you’re legally covered without any holdup in getting customers signed and getting back to business!

With Superlegal you’ll get your contracts back in 24 hours at only 10% of the cost of a lawyer – so you can get back to growing your business! 

Sign your contracts with CONFIDENCE.

Click here to try Superlegal completely for free! 

About the Author

Ilana Waxman

Ilana is a Cambridge graduate and qualified Lawyer from London. She is the Content Lead at Superlegal and is passionate about marketing, SaaS and helping companies close deals faster!