Got 4 minutes? Tell us how this uncertain economy is affecting your hiring plans and technology spend.
5 key clauses to review in a data processing agreement (DPA)

5 key clauses to review in a data processing agreement (DPA)

5 key clauses to review in a data processing agreement (DPA)Jocelyn Mackie
Legal Content Writer

Data processing has great disaster potential. First, you’re handling user and customer data that reveal credit card numbers, addresses, and other sensitive information. Second, the current data landscape is often fraught with security concerns. 

How do you manage this environment? With a data processing agreement. A DPA will lay the groundwork for the division of labor, liability, and information security, which creates understanding between controllers and processors. 

Here’s what you need to make your DPA effective and compliant with current privacy laws. 

Looking for a starting point for your own DPA? Get Jessica Nguyen's DPA template here.

What is a Data Processing Agreement? 

A data processing agreement (DPA) defines the rights, obligations, methods, and requirements for collecting personal information. “Data processing” in this context means storing, managing, and sharing data. 

The parties in a DPA include the data controller and the data processor. Data controllers define their purpose for collecting data and decide how to process it. A data processor follows the written instructions of a data controller to collect, store, and share data on the controller’s behalf. 

People who submit their data for processing are data subjects. They are often the customers or clients of the data controller. For example, the data subjects for an app development company may be the users or buyers. Data processors don’t have a direct relationship with the data subjects.

DPAs are not the same as privacy policies. A privacy policy informs consumers of an organization’s personal data collection, use, and sharing. It doesn’t dictate data processing. 

Laws Affecting DPAs

DPAs are risk-management tools for corporations, but sometimes, laws require them too. You must be familiar with these laws if you handle personal information regularly and hire third-party processors. 

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) affects transactions in the European Union (EU.) It is an information privacy and security law that targets any organization that collects personal data on people living in the EU. 

You may occasionally see references to a “GDPR data processing agreement.” This terminology merely refers to a DPA that complies with the GDPR. 

Under the GDPR, a company or organization must have a DPA if it uses a third-party data processor. The DPA must also contain the following terms:

  • Information regarding the subject matter, duration, nature, and purpose of the data processing
  • Types of personal data and the data subjects involved in the processing
  • Obligations of the data controller, e.g., providing written instructions
  • The data processor’s obligations, e.g., confidentiality and data security

These provisions should be present in most DPAs, even if you have yet to plan to do business in the EU. 

State Laws

Four states enacted data privacy laws that implement data processing requirements. These states are California, Colorado, Connecticut, and Virginia. You must be familiar with these laws if you perform business transactions in those states or with their citizens. 

Generally, these laws focus on data privacy. They have provisions concerning privacy policies, data protection, disclosure, and data breaches. A DPA becomes relevant to these laws because it outlines who is responsible when a processor mishandles or leaks data. 

The Five Key Sections of a DPA

These critical sections organize your essential clauses and keep controllers and processors on the same page. 

General Terms

The “General Terms” section of a DPA lays out the foundation information for the agreement. It contains:

  • The parties to the agreement
  • Their roles (e.g., data controller or processor)
  • Identification of the data subjects (e.g., customers, clients, or users)
  • Types of data to process
  • The way the controller intends to use the data
  • The collection, storage, and disclosure of data
  • The agreement’s duration
  • Contract termination provisions

The GDPR requires additional statements, including:

  • The processor agrees to process data only upon the controller’s written instructions.
  • All parties agree to keep the data confidential. 
  • The parties will use all technical and organizational resources available to them to keep the data secure. 

Let’s get into the details of each of these provisions. 

Data Controller Responsibilities

The data controller’s responsibilities align with its direct relationship with data subjects. Besides providing clear instructions to the data processor, they must also protect the data subjects’ rights. 

They can accomplish this by:

  • Providing a privacy policy to users or customers before they complete a transaction 
  • Ensuring that they only request the data they need and nothing above that
  • Dictating the data subjects’ rights, including the right to opt out, request deletion, and stay informed on data usage

Data controllers must also provide their data process in writing, including any protection for data subjects. These provisions usually fall under the technical requirements section in the DPA with a general description here. 

Data Processor Responsibilities

Data processor responsibilities align primarily with the data, especially its protection. These include:

  • Maintaining and monitoring information security
  • Reporting data breaches
  • Cooperating with authorities when needed
  • Cooperating with audits, record requests, and data returns at the end of the contract

The GDPR assigns additional responsibilities to a data processor to include in a DPA. While these requirements are unique to the GDPR, they offer more protection in your data processing arrangements. If you are a controller, these provisions help divide potential liability, so it doesn’t unevenly impact one party. 

So, even if you don’t perform business in the EU, consider adding provisions stating:

  • A data processor can’t subcontract processing to another data processor without written permission from the data controller. 
  • The processor will help the controller uphold GDPR obligations, especially considering data subjects’ rights.
  • A processor will help with GDPR compliance regarding processing security and consulting a data protection authority before taking risks with data.
  • The processor agrees to delete all personal data upon contract completion or termination of services (or return data to the controller.) 
  • The processor agrees to allow controllers to conduct audits and will provide all needed information. 

Technical Requirements

Technical requirements get more into the “how” of data processing. This section includes the controller’s explicit instructions, but it also addresses:

  • Encryption and security testing
  • Who has access to the data
  • Ensuring ongoing confidentiality and integrity
  • Data security procedures
  • Data break procedures

This section will likely require collaboration between the data controller and processor. Technical requirements are often within the processor’s expertise, and the controller may not know how to explain a process in detail. 

However, data controllers must be careful to understand this section thoroughly. That may require consulting with tech transfer attorneys or in-house experts. 

Rights of Data Subjects

Since most privacy and data processing laws focus on consumer rights, making a section devoted to those rights is an excellent idea. Its content lists the rights and describes how the controller and processor will preserve them. 

The rights mentioned in the GPDR and other privacy laws include:

  • Right to opt out
  • Right to be informed
  • Right to disclosure
  • Right to deletion
  • Right to equal services and prices

The rights deal mainly with communication. Consumers may request more information about the data used and stored. When you receive these inquiries, determine who has access to the requested information and then place the responsibility on the controller or processor to provide it. 

For example, a processor may have better access to delete data, while a controller is better equipped to describe how they use data. Once you determine the division of labor in these cases, you can create procedures to honor data subjects’ rights. 

Possible Red Flags in Data processing

An incomplete or vague DPA doesn’t do any favors for either party. Whether you are the controller or processor, remember these possible red flags as you draft and negotiate a data processing agreement. 

As a Data Controller

The data controller is the customer of the data processor. This arrangement often creates an uneven power dynamic. The processor usually knows more about their technology and may even overestimate their abilities. You must prepare to protect yourself in these situations. 

First, the DPA should include the five key sections outlined above. Some sections may mix, like controller or processor responsibilities and the rights of data subjects. When that occurs, check for keywords like “rights of data subjects” or “GPDR compliance.” If you don’t see these descriptions, ask about them. 

Second, be aware that controllers can face liability for data breaches, even if they didn’t play a part in them. You can avoid this with due diligence. Confirm that your chosen data processor has the technology, bandwidth, and experience to protect data and avoid breaches. 

As a Data Processor

Data processors are the vendors in the controller-processor relationship. Most of the time, you present a form agreement and hope the controller signs it. 

But these forms aren’t foolproof. It is common, especially in the tech industry, to hire an attorney to draft forms and then rely on them for years without checking current data laws. Privacy and data laws change quickly, and states consider new laws. You may face liability if your forms don’t comply with these updates. 

So, your most threatening red flag is outdated forms. In-house counsel should review these forms periodically and stay informed on data privacy laws. Set up a contract management system that supports these reviews and reminds attorneys to update contracts. 

And if your contracts aren’t entirely updated–don’t be afraid to redline them. An accurate data processing agreement with all required provisions is more likely to protect you and maintain understanding with the controller. 

Also, even if your company doesn’t directly target the EU, it’s still prudent to comply with the GDPR. The current economy is global, and EU citizens likely have access to a controller’s apps or website. Take the extra step to ensure your agreements reflect the data subjects’ rights and freedoms. 

If you want to see a hands-on example of what redlining and negotiating a DPA looks like in the tech space, check out Lexion’s recent webinar: Rumble in the Redlines. In this fun and educational session, we created a mock negotiation between a talented big law attorney (Daniel Chen of Wilson Sonsini and counsel for the controller) who redlined and negotiate a DPA against an experienced in-house attorney (Jessica Nguyen, Chief Legal Officer of Lexion and counsel for the processor). Watch the recording here or download our free DPA template.


Subscribe for a monthly digest of Lexion's posts