Data Processing Agreement

Clients Rate Lawyers on our Platform 4.9/5 Stars
based on 4,846 reviews

Jump to Section

Need help with a Data Processing Agreement?

Post Project Now

Data processing agreements are critical to running a legally compliant business in a digitally encrypted world. Passed in the European Union in 2016, the General Data Protection Regulation (GDPR) set a new tone when it comes to protecting consumer data and privacy throughout the world. These laws continue to span reach throughout the world as other countries and states enact separate laws and requirements.

You need data processing agreements for consumers if you:

  • Have a website
  • Collect customer data
  • Make sales online

As you can see, these rules affect a large majority of the world. Learn everything you need to know about data processing agreements by continuing the article below.

What is a Data Processing Agreement?

A data processing agreement, also called a DPA, is a legal contract between a data controller and a data processor. They regulate the use of consumer data by companies, specifically how it is processed. In essence, the data processor promises to utilize personally identifiable data (PII) according to the terms laid out in the data processing agreement.

If your website collects data from people living in locations with these rules, then your website processing agreements and data processing methods must be compliant with them.

Common types of company websites that should have data processing agreements include:

  • Online retailers
  • Internet marketers
  • Affiliates
  • Online service providers
  • Professional services firms
  • B2B companies
  • Financial institutions
  • Technology firms
  • Medical providers

If you run a large company, you will need to hire a data protection officer (DPO) to oversee and enforce your data privacy policies and data processing agreements. The internet is rife with the opportunity to expose your customer’s data, which can land your company in legal trouble with local authorities.

Avoid making this mistake by writing a personalized data processing agreement for your company while having the appropriate safeguards in place to monitor compliance.

Here is an article about data protection officers (DPO).

Key Terms in a Data Processing Agreement

Data processing agreements, like all contracts, contain key terms and provisions that help both parties understand their rights and responsibilities. In the case of a data processing agreement, the consumer, or the data control, must agree to the company’s or data processor’s terms to use their website or application.

The key terms in a data processing agreement include:

  • Subject matter
  • Duration
  • Purpose
  • Data used
  • Data categorizations
  • Rights and obligations
  • Rights if a data breach occurs

These rights and obligations may vary according to state, industry, country, and company type. When there are numerous variables involved with a contract, it is essential that you consult with privacy lawyers to help ensure that they are objective-oriented, compliant, and enforceable. Otherwise, you could leave yourself exposed to fiduciary liabilities in the future.

Why You Need A Data Processing Agreement

Your company needs a data processing agreement to remain compliant with a jurisdiction’s relevant laws. If you do not have these agreements in place and utilize consumer data, you could face significant penalties. While legislation is forthcoming slowly, a few noticeable places are enacting strict measurements.

DPAs and the GDPR

The General Data Protection Regulation (GDPR) summaries how companies must process, store, and use customer data. These regulations are contained within Article 28 of the GDPR text enacted by the European Union (EU).

Counties in the EU include:

  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Republic of Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden

Regardless of where your target audience resides in the EU, DPAs are an essential website component across many business types and industries. Data controllers also have specific legal protections.

Ensure that your data processing agreement addresses the following rights:

  • Right to opt-out
  • Right to be informed
  • Right to disclosure
  • Right to deletion
  • Right to equal services and prices

Lawmakers have authorized the Data Protect Authorities to impose fines of up to €20 million or 4 percent of global turnover annually, whichever of the two is greater, for GDPR violations. Work with a team of legal and technological professionals to help you create an agreement and process that helps you accomplish your company objectives while remaining compliant within the EU.

Meet some lawyers on our platform

Kendall C.

1 project on CC
View Profile

Bryan B.

121 projects on CC
View Profile

Amber M.

1 project on CC
View Profile

Matthew S.

10 projects on CC
View Profile

DPAs and the CCPA

On the other hand, the California Consumer Privacy Act (CCPA) is the state’s ePrivacy directive that outlines how companies can use consumer data, including tracking browsers and data encryption requirements. These rules apply to first and third-party services providers and retailers.

Data Processing Agreements and Small Businesses

Small business owners stretch their budgets and may wonder if having data processing agreements are really necessary. They are generally not exempt from meeting data processing agreement requirements. However, some geographical regions may have more lax regulations in your area.

Other Reasons to Not Use Data Processing Agreements

You also do not need to have a data processing agreement if your target market is not located in a place with such requirements. Always speak with internet lawyers in your state to determine if your small business needs to utilize data processing agreements.

Why You Should Get Started Early

We will likely see continued legislation crop up throughout the United States and the world. It may not be a bad idea to get a jump on the practice now while observing good data processing ethics. Your early adopter and tech-savvy customers are sure to take note of your above-and-beyond efforts.

Data Processing Agreements vs. Privacy Policy

There are significant differences between data processing agreements vs. a privacy policy . Data processing agreements outline how you process the customer’s data to prevent technological insecurities, while the privacy policy lets customers know what you do with their data in general.

Example of Data Processing Agreements vs. Privacy Policy

For example, in a data processing agreement, you may disclose that a third party, such as Google, will process your data when collecting email addresses for newsletters. You do not necessarily need to disclose this specific information in your privacy policy.

ContractsCounsel Data Processing Agreement Image

Image via Pexels by Soumil Kumar

Writing A Data Processing Agreement

It’s essential that you write a data processing agreement that serves its intended purposes. However, the terms and conditions you write must also remain compliant with local, state, federal, country, and industry requirements depending upon your business. Use a methodical approach to ensure that you obtain the desired result.

Follow these steps when writing a data processing agreement:

  • Step 1. Determine what customer data is essential
  • Step 2. Decide upon how long you need to store/process the data
  • Step 3. Write down how you plan to use the data in your own words
  • Step 4. Finalize this information with key company stakeholders
  • Step 5. Schedule an initial intake with a privacy lawyer
  • Step 6. Work with the lawyer you hired to finalize the policy

The most practical business approach for writing a data processing agreement is by speak with technology lawyers . They have the legal experience and digital knowledge you want when drafting your data processing agreements. Your attorney can also help you draft other data processing agreement documents, including a privacy policy, terms of use agreement, terms of service (ToS) agreement, and acceptable use policy .

Data Processing Agreement Sample


THIS DATA PROCESSING AGREEMENT (“Data Processing Agreement”) is made and entered into on 23 July 2020 (“Effective Date”) by and between:

1. [PARTY 1], a company organized and existing under the laws of [STATE] and having its registered office at [ADDRESS].

2. [PARTY 2], a company organized and existing under the laws of [STATE] and having its registered office at [ADDRESS].

Each of the above parties are individually referred to as “Party” and jointly as “Parties”.


  1. WHEREAS, Controller and Processor entered into a service agreement as of [DATE] (“Agreement”) pursuant to which Processor agreed to provide certain services to Controller as specified in the Agreement, including any statements of work, and Privacy Annex (Annex 1) to this Data Processing Agreement (“Services”);
  2. WHEREAS, Controller engages Processor to on behalf of Controller process Personal Data defined in the Privacy Annex (Annex 1) and any other personal data processed by Processor on behalf of Controller pursuant to the Agreement (“Personal Data”);
  3. WHEREAS, this Data Processing Agreement includes the terms and conditions governing the processing of Personal Data by Processor on behalf of Controller with the aim to ensure the Parties comply with Applicable Laws as defined below.

NOW, THEREFORE, the Parties agree as follows:


1.1. For the purposes of this Data Processing Agreement, the following terms shall have the following definitions and interpretation:

Applicable Laws” means any EU, EU Member State, national, regional and local laws, rules, regulations, declarations, requirements, guidelines approved by supervisory or other competent bodies and polices that apply to or govern the processing of Personal Data as set out in the Privacy Annex (Annex 1), including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and relevant national laws, as amended from time to time.

EEA” means European Economic Area.

Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

Subprocessor” means any data processor (including any third party and any Processor Affiliate) engaged by Processor to process personal data on behalf of Controller.

Supervisory Authority” means (a) an independent public authority which is established by a Member State pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Applicable Laws.

1.2 Other terms like “process/processing”, “data subject”, “(data) processor”, “(data) controller”, “data protection impact assessment”, etc. shall have the meaning ascribed to them in the Applicable Laws with regard to the Personal Data.


2.1. Processor shall provide the Services and shall process the Personal Data within the context of the Agreement on behalf of Controller and for the specific purposes as set out in the Privacy Annex (Annex 1) to this Data Processing Agreement.

2.2. Processor represents and warrants that it shall not process, transfer, modify, amend or alter the Personal Data or disclose or permit the disclosure of the Personal Data to any third party other than in accordance with the Controller’s documented instructions (in the Principal Agreement or otherwise), unless processing is required by EU or Member State law to which Processor is subject, in which case Processor shall to the extent permitted by such law inform Controller of that legal requirement before processing that Personal Data. Processor shall not process Personal Data for own purposes, except where it is regarded as data controller for the processing of Personal Data.

2.3. Controller represents and warrants that it is fully authorized and entitled to provide the Personal Data to Processor for processing and let Processor process the Personal Data for the purposes of the Agreement and for the specific purposes as set out in the Privacy Annex (Annex 1) and in execution of the Services.


3.1. Processor shall promptly, and in any case within five (5) working days, notify Controller if it receives a request from a data subject under any Applicable Laws in respect of Personal Data, including requests by a data subject to exercise rights in Chapter III of GDPR, and shall provide full details of that request.

3.2. Processor shall provide all reasonable assistance to Controller to enable Controller to comply with any exercise of rights by a data subject under any Applicable Laws in respect of Personal Data and comply with any assessment, enquiry, notice or investigation under Applicable Laws in respect of Personal Data or this Data Processing Agreement.


4.1. Without prejudice to any other security requirements agreed upon between the Parties, Processor shall protect the processing of Personal Data and ensure a level of security of the Personal Data appropriate to the risk in accordance with Article 32 GDPR, among others by taking appropriate technical and organisational measures, that in view of the current state of the art and the related costs are in line with the nature of the Personal Data to be processed, the scope, context and purposes of the processing of the Personal Data, as well as the risk varying according to likelihood and severity for the rights and freedoms of data subjects. These measures encompass, where appropriate:

4.1.1. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

4.1.2. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

4.1.3. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.

4.2. The Parties acknowledge that security requirements are constantly changing, and that effective security requires frequent evaluation and regular improvements of outdated security measures. Processor shall therefore continuously evaluate the technical and organisational measures as described herein and shall tighten, supplement and improve these security measures to maintain compliance with Applicable Laws.


5.1. Processor shall notify Controller without unreasonable delay upon becoming aware of a Personal Data Breach in connection with the processing of Personal Data and shall provide Controller with information to allow Controller to meet any obligations to report a Personal Data Breach under the Applicable Laws. Such notification shall as a minimum:

5.1.1. describe the nature of the Personal Data Breach, the data subjects concerned, and the Personal Data records concerned;

5.1.2. communicate the name and contact details of Processor’s data protection officer or other relevant contact form whom more information may be obtained;

5.1.3. describe the likely consequences of the Personal Data Breach; and

5.1.4. describe the measures taken or proposed to address the Personal Data Breach.

5.2. Processor shall provide all reasonable assistance and shall take all reasonably steps to assist in the investigation, mitigation and remediation of each Personal Data Breach to enable Controller to (i) perform a thorough investigation into the Personal Data Breach, (ii) formulate a correct response; and (iii) to take further steps in respect of the Personal Data Breach in order to meet any requirements under the Applicable Laws.


6.1. From the Effective Date of this Data Processing Agreement, Processor may use the Subprocessors set out in the Privacy Annex (Annex 1). Processor may use additional Subprocessors to process Personal Data only with the prior written approval of Controller, which approval shall not be unreasonably withheld.


7.1. If and insofar the Personal Data is processed outside of the EEA, the Parties shall only process the Personal Data when there is an adequate level of protection in place.


8.1. In accordance with the confidentiality provisions of the Agreement, Processor shall keep Personal Data confidential. For the avoidance of doubt, all Personal Data shall be considered as Confidential Information in the Agreement.


9.1. Processor shall provide reasonable assistance to Controller with any data protection impact assessments which are required under Article 35 GDPR and with any prior consultations to any Supervisory Authority of Controller or any of its affiliates which are required under Article 36 GDPR, in each case in relation to processing of Personal Data by Processor on behalf of Controller and taking into account the nature of the processing and information available to Processor.


10.1. Processor shall make available to Controller on request any relevant information that is reasonably necessary to demonstrate compliance with this Data Processing Agreement.

10.2. Processor shall allow for and reasonably contribute to audits of the processing of Personal Data and the premises where such processing takes place. Processor shall provide all reasonable cooperation to Controller in respect of any such audit and shall at the request of Controller, provide Controller with evidence of compliance with its obligations under this Data Processing Agreement. Processor shall immediately inform Controller if, in its opinion, an instruction pursuant to this Clause 10 infringes any Applicable Laws.


11.1. Notwithstanding any provisions of the Agreement or this Data Processing Agreement to the contrary, each Party shall indemnify, defend and hold harmless the other Party from any claims (including third party claims), suits, demands, judgements, actions, liabilities, expenses (including reasonable attorney’s fees) and damages of any kind relating to its breach of this Data Processing Agreement, and/or its negligence or wilful misconduct.

11.2. Notwithstanding any provisions of the Agreement or this Data Processing Agreement to the contrary, the limitation of liability set forth in the Agreement shall also apply to this Data Processing Agreement.


12.1. This Data Processing Agreement shall remain in full force and effect for the duration that Processor processes Personal Data on behalf of Controller under the Agreement.

12.2. Any obligation imposed on either Party under this Data Processing Agreement, or any provision that by their nature is intended to survive this Data Processing Agreement shall survive any termination or expiration of this Data Processing Agreement.


13.1. Processor shall store the Personal Data no longer than strictly necessary (i) for the provision of Services; (ii) if a storage period is agreed between the Parties, no longer than this storage period; or (iii) to comply with statutory obligations.

13.2. Processor shall promptly, of the earlier of: (i) no longer processing of Personal Data; or (ii) termination of the Agreement, at the choice of Controller either: (a) return a complete copy of all Personal Data to Controller and securely wipe all other copies of Personal Data processed by Processor or any Subprocessor; or (b) securely wipe all copies of Personal Data processed by Processor or any Subprocessor; and in each case provide written confirmation to Controller that it has complied with this Clause 13, except insofar Processor is required by Applicable Laws to retain such Personal Data.


14.1. Modifications or amendments of this Data Processing Agreement shall only be effective if made in writing and signed by an authorized representative of both Parties.

14.2. If any provision of this Data Processing Agreement is invalid or unenforceable, then the remainder shall remain valid and in force.

14.3. In the event of inconsistencies between the provisions of this Data Processing Agreement and the Agreement and/or any Scope of Work, the provisions of this Data Processing Agreement shall prevail with regard to the Parties’ data protection obligations.

14.4. This Data Processing Agreement shall be governed by and in accordance with the laws of the [COUNTRY], without giving effect to any choice of law principles that would require the application of the laws of a different jurisdiction. Any disputes arising out or in connection with this Data Processing Agreement shall be brought exclusively before the competent court of [LOCATION].

IN WITNESS WHEREOF, the Parties hereto have executed this Data Processing Agreement as of the Effective Date by their duly authorized signatories.

By: ________________________

By: ________________________

Get Help with a DPA

Online agreements, like Data Processing Agreements, are best left to experts that understand the way browsers, software, and online marketing works, as well as being familiar with global data privacy laws. Post a project on ContractsCounsel’s marketplace to get bids from vetted technology lawyers that can help.

How ContractsCounsel Works
Hiring a lawyer on ContractsCounsel is easy, transparent and affordable.
1. Post a Free Project
Complete our 4-step process to provide info on what you need done.
2. Get Bids to Review
Receive flat-fee bids from lawyers in our marketplace to compare.
3. Start Your Project
Securely pay to start working with the lawyer you select.

Meet some of our Data Processing Agreement Lawyers

Bruce B. on ContractsCounsel
View Bruce
5.0 (13)
Member Since:
January 11, 2022

Bruce B.

Managing Attorney
Free Consultation
Tampa, FL
8 Yrs Experience
Licensed in FL
University of South Carolina

Bruce Burk practice is in the area of small business, labor and employment, contracts, real estate and civil litigation. Bruce has litigated over 40 trials as well as many appeals. He prioritizes client communication and satisfaction as well as delivering high quality work product.

Cory B. on ContractsCounsel
View Cory
5.0 (1)
Member Since:
November 29, 2021

Cory B.

Free Consultation
Bellaire, OH
7 Yrs Experience
Licensed in OH
Duquesne University School of Law

Attorney Cory Barack specializes in business, real estate, probate, and energy law. He can help you with oil/gas leases, easements, property sales, drafting contracts and wills, setting up companies, and resolving disputes. He is licensed to practice law in Ohio and is located in Eastern Ohio.

Daehoon P. on ContractsCounsel
View Daehoon
4.7 (76)
Member Since:
November 26, 2021

Daehoon P.

Corporate Lawyer
Free Consultation
New York, NY
8 Yrs Experience
Licensed in NY
American University Washington College of Law

Advised startups and established corporations on a wide range of commercial and corporate matters, including VC funding, technology law, and M&A. Commercial and Corporate Matters • Advised companies on commercial and corporate matters and drafted corporate documents and commercial agreements—including but not limited to —Convertible Note, SAFE, Promissory Note, Terms and Conditions, SaaS Agreement, Employment Agreement, Contractor Agreement, Joint Venture Agreement, Stock Purchase Agreement, Asset Purchase Agreement, Shareholders Agreement, Partnership Agreement, Franchise Agreement, License Agreement, and Financing Agreement. • Drafted and revised internal regulations of joint venture companies (board of directors, employment, office organization, discretional duty, internal control, accounting, fund management, etc.) • Advised JVs on corporate structuring and other legal matters • Advised startups on VC funding Employment Matters • Drafted a wide range of employment agreements, including dental associate agreements, physician employment agreements, startup employment agreements, and executive employment agreements. • Advised clients on complex employment law matters and drafted employment agreements, dispute settlement agreements, and severance agreements. General Counsel • As outside general counsel, I advised startups on ICOs, securities law, business licenses, regulatory compliance, and other commercial and corporate matters. • Drafted or analyzed coin or token sale agreements for global ICOs. • Assisted clients with corporate formations, including filing incorporation documents and foreign corporation registrations, drafting operating and partnership agreements, and creating articles of incorporation and bylaws. Dispute Resolution • Conducted legal research, and document review, and drafted pleadings, motions, and other trial documents. • Advised the client on strategic approaches to discovery proceedings and settlement negotiation. • Advised clients on employment dispute settlements.

Abraham W. on ContractsCounsel
View Abraham
Member Since:
November 18, 2021

Abraham W.

Free Consultation
Nashville, TN
4 Yrs Experience
Licensed in NY, TN
Harvard Law School

Abraham's practice focuses on counseling emerging group companies in the technology and other commercial agreements, and assisting equity financings (specifically venture capital).

Dave Y. on ContractsCounsel
View Dave
Member Since:
November 22, 2021

Dave Y.

Free Consultation
Colorado Springs
2 Yrs Experience
Licensed in CO
University of Denver

I am available for data privacy and cybersecurity projects. I am CIPP/US certified through the IAPP. I have also taken coursework focused on the GDPR through the London School of Economics. In my past career I was an intelligence officer. I am well acquainted with information security best practices and I have experience developing and implementing administrative controls for classified information and PII. I have worked extensively overseas and I am comfortable integrating with remote teams. Feel free to reach out any time if you have any additional questions on my areas of expertise or professional background.

Peter W. Y. on ContractsCounsel
View Peter W.
Member Since:
January 24, 2022

Peter W. Y.

Free Consultation
24 Yrs Experience
Licensed in CT, NY, PA
Haub School of Law at Pace University

Perceptive, solution-driven counselor and experienced attorney. Record of successful verdicts, settlements, negotiations, arbitrations, mediations, and deals. Effective claims management, litigation strategy, and risk consulting. Proven ability to oversee litigation teams, communicate to stakeholders, manage multiple projects effectively, and expand business relationships. Extensive experience handling legal issues in engineering and construction, environmental litigation, corporate and contractual, and insurance issues.

Find the best lawyer for your project

Browse Lawyers Now

Want to speak to someone?

Get in touch below and we will schedule a time to connect!

Request a call