Jump to Section
Need help with a Data Processing Agreement?
Data processing agreements are critical to running a legally compliant business in a digitally encrypted world. Passed in the European Union in 2016, the General Data Protection Regulation (GDPR) set a new tone when it comes to protecting consumer data and privacy throughout the world. These laws continue to span reach throughout the world as other countries and states enact separate laws and requirements.
You need data processing agreements for consumers if you:
- Have a website
- Collect customer data
- Make sales online
As you can see, these rules affect a large majority of the world. Learn everything you need to know about data processing agreements by continuing the article below.
What is a Data Processing Agreement?
A data processing agreement, also called a DPA, is a legal contract between a data controller and a data processor. They regulate the use of consumer data by companies, specifically how it is processed. In essence, the data processor promises to utilize personally identifiable data (PII) according to the terms laid out in the data processing agreement.
If your website collects data from people living in locations with these rules, then your website processing agreements and data processing methods must be compliant with them.
Common types of company websites that should have data processing agreements include:
- Online retailers
- Internet marketers
- Online service providers
- Professional services firms
- B2B companies
- Financial institutions
- Technology firms
- Medical providers
If you run a large company, you will need to hire a data protection officer (DPO) to oversee and enforce your data privacy policies and data processing agreements. The internet is rife with the opportunity to expose your customer’s data, which can land your company in legal trouble with local authorities.
Avoid making this mistake by writing a personalized data processing agreement for your company while having the appropriate safeguards in place to monitor compliance.
Here is an article about data protection officers (DPO).
Key Terms in a Data Processing Agreement
Data processing agreements, like all contracts, contain key terms and provisions that help both parties understand their rights and responsibilities. In the case of a data processing agreement, the consumer, or the data control, must agree to the company’s or data processor’s terms to use their website or application.
The key terms in a data processing agreement include:
- Subject matter
- Data used
- Data categorizations
- Rights and obligations
- Rights if a data breach occurs
These rights and obligations may vary according to state, industry, country, and company type. When there are numerous variables involved with a contract, it is essential that you consult with privacy lawyers to help ensure that they are objective-oriented, compliant, and enforceable. Otherwise, you could leave yourself exposed to fiduciary liabilities in the future.
Why You Need A Data Processing Agreement
Your company needs a data processing agreement to remain compliant with a jurisdiction’s relevant laws. If you do not have these agreements in place and utilize consumer data, you could face significant penalties. While legislation is forthcoming slowly, a few noticeable places are enacting strict measurements.
DPAs and the GDPR
The General Data Protection Regulation (GDPR) summaries how companies must process, store, and use customer data. These regulations are contained within Article 28 of the GDPR text enacted by the European Union (EU).
Counties in the EU include:
- Republic of Cyprus
- Czech Republic
Regardless of where your target audience resides in the EU, DPAs are an essential website component across many business types and industries. Data controllers also have specific legal protections.
Ensure that your data processing agreement addresses the following rights:
- Right to opt-out
- Right to be informed
- Right to disclosure
- Right to deletion
- Right to equal services and prices
Lawmakers have authorized the Data Protect Authorities to impose fines of up to €20 million or 4 percent of global turnover annually, whichever of the two is greater, for GDPR violations. Work with a team of legal and technological professionals to help you create an agreement and process that helps you accomplish your company objectives while remaining compliant within the EU.
DPAs and the CCPA
On the other hand, the California Consumer Privacy Act (CCPA) is the state’s ePrivacy directive that outlines how companies can use consumer data, including tracking browsers and data encryption requirements. These rules apply to first and third-party services providers and retailers.
Data Processing Agreements and Small Businesses
Small business owners stretch their budgets and may wonder if having data processing agreements are really necessary. They are generally not exempt from meeting data processing agreement requirements. However, some geographical regions may have more lax regulations in your area.
Other Reasons to Not Use Data Processing Agreements
You also do not need to have a data processing agreement if your target market is not located in a place with such requirements. Always speak with internet lawyers in your state to determine if your small business needs to utilize data processing agreements.
Why You Should Get Started Early
We will likely see continued legislation crop up throughout the United States and the world. It may not be a bad idea to get a jump on the practice now while observing good data processing ethics. Your early adopter and tech-savvy customers are sure to take note of your above-and-beyond efforts.
Image via Pexels by Soumil Kumar
Writing A Data Processing Agreement
It’s essential that you write a data processing agreement that serves its intended purposes. However, the terms and conditions you write must also remain compliant with local, state, federal, country, and industry requirements depending upon your business. Use a methodical approach to ensure that you obtain the desired result.
Follow these steps when writing a data processing agreement:
- Step 1. Determine what customer data is essential
- Step 2. Decide upon how long you need to store/process the data
- Step 3. Write down how you plan to use the data in your own words
- Step 4. Finalize this information with key company stakeholders
- Step 5. Schedule an initial intake with a privacy lawyer
- Step 6. Work with the lawyer you hired to finalize the policy
Data Processing Agreement Sample
DATA PROCESSING AGREEMENT
THIS DATA PROCESSING AGREEMENT (“Data Processing Agreement”) is made and entered into on 23 July 2020 (“Effective Date”) by and between:
1. [PARTY 1], a company organized and existing under the laws of [STATE] and having its registered office at [ADDRESS].
2. [PARTY 2], a company organized and existing under the laws of [STATE] and having its registered office at [ADDRESS].
Each of the above parties are individually referred to as “Party” and jointly as “Parties”.
- WHEREAS, Controller and Processor entered into a service agreement as of [DATE] (“Agreement”) pursuant to which Processor agreed to provide certain services to Controller as specified in the Agreement, including any statements of work, and Privacy Annex (Annex 1) to this Data Processing Agreement (“Services”);
- WHEREAS, Controller engages Processor to on behalf of Controller process Personal Data defined in the Privacy Annex (Annex 1) and any other personal data processed by Processor on behalf of Controller pursuant to the Agreement (“Personal Data”);
- WHEREAS, this Data Processing Agreement includes the terms and conditions governing the processing of Personal Data by Processor on behalf of Controller with the aim to ensure the Parties comply with Applicable Laws as defined below.
NOW, THEREFORE, the Parties agree as follows:
1. DEFINITIONS AND INTERPRETATION
1.1. For the purposes of this Data Processing Agreement, the following terms shall have the following definitions and interpretation:
“Applicable Laws” means any EU, EU Member State, national, regional and local laws, rules, regulations, declarations, requirements, guidelines approved by supervisory or other competent bodies and polices that apply to or govern the processing of Personal Data as set out in the Privacy Annex (Annex 1), including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and relevant national laws, as amended from time to time.
“EEA” means European Economic Area.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
“Subprocessor” means any data processor (including any third party and any Processor Affiliate) engaged by Processor to process personal data on behalf of Controller.
“Supervisory Authority” means (a) an independent public authority which is established by a Member State pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Applicable Laws.
1.2 Other terms like “process/processing”, “data subject”, “(data) processor”, “(data) controller”, “data protection impact assessment”, etc. shall have the meaning ascribed to them in the Applicable Laws with regard to the Personal Data.
2. PROCESSING OF PERSONAL DATA
2.1. Processor shall provide the Services and shall process the Personal Data within the context of the Agreement on behalf of Controller and for the specific purposes as set out in the Privacy Annex (Annex 1) to this Data Processing Agreement.
2.2. Processor represents and warrants that it shall not process, transfer, modify, amend or alter the Personal Data or disclose or permit the disclosure of the Personal Data to any third party other than in accordance with the Controller’s documented instructions (in the Principal Agreement or otherwise), unless processing is required by EU or Member State law to which Processor is subject, in which case Processor shall to the extent permitted by such law inform Controller of that legal requirement before processing that Personal Data. Processor shall not process Personal Data for own purposes, except where it is regarded as data controller for the processing of Personal Data.
2.3. Controller represents and warrants that it is fully authorized and entitled to provide the Personal Data to Processor for processing and let Processor process the Personal Data for the purposes of the Agreement and for the specific purposes as set out in the Privacy Annex (Annex 1) and in execution of the Services.
3. DATA SUBJECT RIGHTS
3.1. Processor shall promptly, and in any case within five (5) working days, notify Controller if it receives a request from a data subject under any Applicable Laws in respect of Personal Data, including requests by a data subject to exercise rights in Chapter III of GDPR, and shall provide full details of that request.
3.2. Processor shall provide all reasonable assistance to Controller to enable Controller to comply with any exercise of rights by a data subject under any Applicable Laws in respect of Personal Data and comply with any assessment, enquiry, notice or investigation under Applicable Laws in respect of Personal Data or this Data Processing Agreement.
4. SECURITY OF PERSONAL DATA
4.1. Without prejudice to any other security requirements agreed upon between the Parties, Processor shall protect the processing of Personal Data and ensure a level of security of the Personal Data appropriate to the risk in accordance with Article 32 GDPR, among others by taking appropriate technical and organisational measures, that in view of the current state of the art and the related costs are in line with the nature of the Personal Data to be processed, the scope, context and purposes of the processing of the Personal Data, as well as the risk varying according to likelihood and severity for the rights and freedoms of data subjects. These measures encompass, where appropriate:
4.1.1. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
4.1.2. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
4.1.3. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.
4.2. The Parties acknowledge that security requirements are constantly changing, and that effective security requires frequent evaluation and regular improvements of outdated security measures. Processor shall therefore continuously evaluate the technical and organisational measures as described herein and shall tighten, supplement and improve these security measures to maintain compliance with Applicable Laws.
5. PERSONAL DATA BREACHES
5.1. Processor shall notify Controller without unreasonable delay upon becoming aware of a Personal Data Breach in connection with the processing of Personal Data and shall provide Controller with information to allow Controller to meet any obligations to report a Personal Data Breach under the Applicable Laws. Such notification shall as a minimum:
5.1.1. describe the nature of the Personal Data Breach, the data subjects concerned, and the Personal Data records concerned;
5.1.2. communicate the name and contact details of Processor’s data protection officer or other relevant contact form whom more information may be obtained;
5.1.3. describe the likely consequences of the Personal Data Breach; and
5.1.4. describe the measures taken or proposed to address the Personal Data Breach.
5.2. Processor shall provide all reasonable assistance and shall take all reasonably steps to assist in the investigation, mitigation and remediation of each Personal Data Breach to enable Controller to (i) perform a thorough investigation into the Personal Data Breach, (ii) formulate a correct response; and (iii) to take further steps in respect of the Personal Data Breach in order to meet any requirements under the Applicable Laws.
6.1. From the Effective Date of this Data Processing Agreement, Processor may use the Subprocessors set out in the Privacy Annex (Annex 1). Processor may use additional Subprocessors to process Personal Data only with the prior written approval of Controller, which approval shall not be unreasonably withheld.
7. INTERNATIONAL TRANSFERS
7.1. If and insofar the Personal Data is processed outside of the EEA, the Parties shall only process the Personal Data when there is an adequate level of protection in place.
8.1. In accordance with the confidentiality provisions of the Agreement, Processor shall keep Personal Data confidential. For the avoidance of doubt, all Personal Data shall be considered as Confidential Information in the Agreement.
9. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
9.1. Processor shall provide reasonable assistance to Controller with any data protection impact assessments which are required under Article 35 GDPR and with any prior consultations to any Supervisory Authority of Controller or any of its affiliates which are required under Article 36 GDPR, in each case in relation to processing of Personal Data by Processor on behalf of Controller and taking into account the nature of the processing and information available to Processor.
10. PROVISION OF INFORMATION AND AUDITS
10.1. Processor shall make available to Controller on request any relevant information that is reasonably necessary to demonstrate compliance with this Data Processing Agreement.
10.2. Processor shall allow for and reasonably contribute to audits of the processing of Personal Data and the premises where such processing takes place. Processor shall provide all reasonable cooperation to Controller in respect of any such audit and shall at the request of Controller, provide Controller with evidence of compliance with its obligations under this Data Processing Agreement. Processor shall immediately inform Controller if, in its opinion, an instruction pursuant to this Clause 10 infringes any Applicable Laws.
11. INDEMNITY AND LIABILITY
11.1. Notwithstanding any provisions of the Agreement or this Data Processing Agreement to the contrary, each Party shall indemnify, defend and hold harmless the other Party from any claims (including third party claims), suits, demands, judgements, actions, liabilities, expenses (including reasonable attorney’s fees) and damages of any kind relating to its breach of this Data Processing Agreement, and/or its negligence or wilful misconduct.
11.2. Notwithstanding any provisions of the Agreement or this Data Processing Agreement to the contrary, the limitation of liability set forth in the Agreement shall also apply to this Data Processing Agreement.
12. DURATION AND TERMINATION
12.1. This Data Processing Agreement shall remain in full force and effect for the duration that Processor processes Personal Data on behalf of Controller under the Agreement.
12.2. Any obligation imposed on either Party under this Data Processing Agreement, or any provision that by their nature is intended to survive this Data Processing Agreement shall survive any termination or expiration of this Data Processing Agreement.
13. STORAGE, RETURN AND DESTRUCTION
13.1. Processor shall store the Personal Data no longer than strictly necessary (i) for the provision of Services; (ii) if a storage period is agreed between the Parties, no longer than this storage period; or (iii) to comply with statutory obligations.
13.2. Processor shall promptly, of the earlier of: (i) no longer processing of Personal Data; or (ii) termination of the Agreement, at the choice of Controller either: (a) return a complete copy of all Personal Data to Controller and securely wipe all other copies of Personal Data processed by Processor or any Subprocessor; or (b) securely wipe all copies of Personal Data processed by Processor or any Subprocessor; and in each case provide written confirmation to Controller that it has complied with this Clause 13, except insofar Processor is required by Applicable Laws to retain such Personal Data.
14.1. Modifications or amendments of this Data Processing Agreement shall only be effective if made in writing and signed by an authorized representative of both Parties.
14.2. If any provision of this Data Processing Agreement is invalid or unenforceable, then the remainder shall remain valid and in force.
14.3. In the event of inconsistencies between the provisions of this Data Processing Agreement and the Agreement and/or any Scope of Work, the provisions of this Data Processing Agreement shall prevail with regard to the Parties’ data protection obligations.
14.4. This Data Processing Agreement shall be governed by and in accordance with the laws of the [COUNTRY], without giving effect to any choice of law principles that would require the application of the laws of a different jurisdiction. Any disputes arising out or in connection with this Data Processing Agreement shall be brought exclusively before the competent court of [LOCATION].
IN WITNESS WHEREOF, the Parties hereto have executed this Data Processing Agreement as of the Effective Date by their duly authorized signatories.
Get Help with a DPA
Online agreements, like Data Processing Agreements, are best left to experts that understand the way browsers, software, and online marketing works, as well as being familiar with global data privacy laws. Post a project on ContractsCounsel’s marketplace to get bids from vetted technology lawyers that can help.
Meet some of our Data Processing Agreement Lawyers
November 17, 2021
Over 30 years of experience practicing commercial real estate and complex business litigation law.
January 11, 2022
Bruce Burk practice is in the area of small business, labor and employment, contracts, real estate and civil litigation. Bruce has litigated over 40 trials as well as many appeals. He prioritizes client communication and satisfaction as well as delivering high quality work product.
November 29, 2021
Attorney Cory Barack specializes in business, real estate, probate, and energy law. He can help you with oil/gas leases, easements, property sales, drafting contracts and wills, setting up companies, and resolving disputes. He is licensed to practice law in Ohio and is located in Eastern Ohio.
November 26, 2021
Advised startups and established corporations on a wide range of commercial and corporate matters, including VC funding, technology law, and M&A. Commercial and Corporate Matters • Advised companies on commercial and corporate matters and drafted corporate documents and commercial agreements—including but not limited to —Convertible Note, SAFE, Promissory Note, Terms and Conditions, SaaS Agreement, Employment Agreement, Contractor Agreement, Joint Venture Agreement, Stock Purchase Agreement, Asset Purchase Agreement, Shareholders Agreement, Partnership Agreement, Franchise Agreement, License Agreement, and Financing Agreement. • Drafted and revised internal regulations of joint venture companies (board of directors, employment, office organization, discretional duty, internal control, accounting, fund management, etc.) • Advised JVs on corporate structuring and other legal matters • Advised startups on VC funding Employment Matters • Drafted a wide range of employment agreements, including dental associate agreements, physician employment agreements, startup employment agreements, and executive employment agreements. • Advised clients on complex employment law matters and drafted employment agreements, dispute settlement agreements, and severance agreements. General Counsel • As outside general counsel, I advised startups on ICOs, securities law, business licenses, regulatory compliance, and other commercial and corporate matters. • Drafted or analyzed coin or token sale agreements for global ICOs. • Assisted clients with corporate formations, including filing incorporation documents and foreign corporation registrations, drafting operating and partnership agreements, and creating articles of incorporation and bylaws. Dispute Resolution • Conducted legal research, and document review, and drafted pleadings, motions, and other trial documents. • Advised the client on strategic approaches to discovery proceedings and settlement negotiation. • Advised clients on employment dispute settlements.
November 18, 2021
Abraham's practice focuses on counseling emerging group companies in the technology and other commercial agreements, and assisting equity financings (specifically venture capital).
November 22, 2021
I am available for data privacy and cybersecurity projects. I am CIPP/US certified through the IAPP. I have also taken coursework focused on the GDPR through the London School of Economics. In my past career I was an intelligence officer. I am well acquainted with information security best practices and I have experience developing and implementing administrative controls for classified information and PII. I have worked extensively overseas and I am comfortable integrating with remote teams. Feel free to reach out any time if you have any additional questions on my areas of expertise or professional background.
January 24, 2022
Peter W. Y.
Perceptive, solution-driven counselor and experienced attorney. Record of successful verdicts, settlements, negotiations, arbitrations, mediations, and deals. Effective claims management, litigation strategy, and risk consulting. Proven ability to oversee litigation teams, communicate to stakeholders, manage multiple projects effectively, and expand business relationships. Extensive experience handling legal issues in engineering and construction, environmental litigation, corporate and contractual, and insurance issues.