What Is a DPA (Data Processing Agreement) - and Are They Necessary?

Software Development Management - APR 2023
Karl Kjer
Ph.D. and Technical Writer
Karl Kjer, Ph.D. from the University of Minnesota, is an accomplished writer and researcher with over 70 published papers, many of which have received multiple citations. Karl's extensive experience in simplifying complex topics makes his articles captivating and easy to understand.
What Is a DPA (Data Processing Agreement) - and Are They Necessary?

Are you obligated to sign a DPA? What laws are they based on and how do they work? Data processing agreements are a relatively new type of contract, so it’s not surprising that people still haven’t fully figured them out.

This article is intended to answer all of these questions and provide some background information on DPAs. By the end, you should understand what DPAs are, when they are applicable, what they contain, and why they are important in the modern data processing landscape.

What Is a DPA?

A DPA is a legal document, a signed contract between a data controller and data processor that establishes both parties’ duties and obligations regarding the handling of customers’ personal data for business purposes in accordance with the applicable data protection laws and regulations.

  • A data controller is the entity (natural person, business, or government body) that decides how personal data is processed and for which purpose.
  • A data processor is the third-party service provider that processes the data on behalf of the data controller.

Data processing agreements are sometimes called data processing addendums or data protection agreements, but all three serve the same purpose.

In simpler terms, a DPA is a contract that regulates how user data is collected, stored, processed, accessed, protected, and used. It defines all the organizational requirements and technical requirements that are needed to protect personal data.

The ultimate purpose of a DPA is to protect the personal data of users and, in case of data breaches, hold the relevant companies responsible.

For example, let’s say you run a chain of pharmacies that delivers prescription medication. You decide to upgrade your system by transferring your data to the cloud and decide to hire a software company that provides cloud services and will create custom software to transfer and store that data.

The data you are storing also includes medical and other personal information of your patients. In this instance, you are the data controller and the software company is the data processor. Depending on the applicable laws in your state, you will likely need to sign a binding DPA with your data processor.


What Does a Data Processing Agreement Include?

A data processing agreement is a comprehensive agreement that should cover all the obligations and responsibilities of the data controller and data processor. As such, it should include:

  • General Information – Like all contracts, a DPA should include all the pertinent information regarding the signatories (i.e. company names, addresses, CID, and other identifying information). It should also include the definitions of the terms that will be used in the contract (e.g. who is classified as a customer/user).
  • The scope, purpose, types of data, security measures – A DPA should define the scope of the personal data processing activities – both the duration and the geographical location of the processing. Then, it needs to clearly lay out the purpose of the data that is being processed. It should also include clauses that classify the way data that will be processed and the security measure that will be implemented to protect the given information.
  • The rights of individuals – DPAs should also include provisions that lay out the rights of individuals whose personal data will be collected and processed.
  • The obligations of the controller and processor – A DPA needs to define all the obligations and responsibilities of the signatories – the controller and processor – and how they will comply with the applicable laws.

Common DPA Clauses

Some common clauses that are found in DPAs are:

  • The detailed purpose of the data processing;
  • Detailed data processing instructions;
  • The scope of the DPA;
  • Applicable security measures;
  • The obligations of the data controller;
  • The obligations of the third-party data processor;
  • Rules regarding sub-processors;
  • The liabilities of the data controller, data processor, and sub-processor;
  • The rights of individual users;
  • Rights regarding data transfers.

Again, a DPA is a comprehensive legal contract, so it can include many more clauses than were listed here, depending on the need of the signatories.

A DPA can also be signed between a data processor and its users (these would be the common ‘contracts’ that most people skim, if that, and agree to when signing up for online websites). While this type of DPA is not the focus of this article, here is what HubSpot’s DPA with its users looks like, as an example.


Explaining the General Data Protection Regulation (GDPR)

We can’t talk about data processing agreements without taking a minute to mention the General Data Protection Regulation (GDPR) of the European Union, the most important European data protection law, as this legal act is often considered the main impetus for the spread of DPAs.

This regulation entered into force in 2016 but was only enforced in 2018. It is one of the toughest security and privacy laws in the world that targets all organizations that collect and process the data of EU citizens.

Thus, for example, if a US, Brazilian, Taiwanese, or Australian company collects and processes the data of people from, let’s say, France, it must comply with the GDPR, regardless of its home country. One of the stipulations of the GDPR is precisely the obligation between data controllers and processors to sign data processing agreements.

If companies do not sign DPAs or are otherwise in breach of the GDPR, they are liable to pay exorbitant fines. We’ve mentioned the GDPR as a model regulation and legal basis that mandates the signing of DPAs, but it’s far from the only one of its kind.

Other Regulations Mandating DPAs

Many laws worldwide obligate the data controller to provide binding instructions for the data processor on how to process data. The wording and the specific requirements of the laws vary, but they all boil down to the same thing – the need to sign a type of DPA.

There are so many laws that we can’t list them all here. So we’ll provide a couple of examples of such laws in the US:

  • The California Privacy Rights Act (CPRA) of 2020, which came into effect in January 2023, amended the California Consumer Privacy Act of 2018 and expanded on the existing data privacy laws in California;
  • The Colorado Privacy Act (CPR), which should enter into force on July 2023. As an example, an excerpt of the CPR (part (c) (II) (B)):

“Imposes an affirmative obligation upon companies to safeguard personal data; to provide clear, understandable, and transparent information to consumers about how their personal data are used; and to strengthen compliance and accountability by requiring data protection assessments in the collection and use of personal data.”

You might have noticed that all three examples we brought up are laws that are coming into effect this year. It’s safe to say that passing such laws is a current trend and that we can expect most states to have similar legislation in the near future.


When Is a DPA Obligatory?

DPAs are obligatory when the laws of the countries where the company does business require them. But as we’ve mentioned above, you can expect most countries to have such regulations in the next few years, so considering DPAs obligatory in most cases could be a wise move.

The Benefits of a DPA

While signing a DPA may or may not be a legal obligation, they still have benefits even if they are not mandatory. Some of the benefits are:

  • Ensuring the protection of citizens’ private data;
  • Ensuring compliance with the applicable laws;
  • Creating a clearly defined structure, including obligations, responsibilities, and liabilities, when personal data are being handled;
  • Creating confidence among your customers that you are not abusing the data they provide.

In short, data processing agreements can be viewed as contracts that enhance the way private data are handled.

Like what you just read?
  — Share with your network
share on facebookshare on twittershare on linkedin
Karl Kjer
Karl Kjer
Ph.D. and Technical Writer
Find me on: linkedin account
Karl Kjer, Ph.D. from the University of Minnesota, is an accomplished writer and researcher with over 70 published papers, many of which have received multiple citations. Karl's extensive experience in simplifying complex topics makes his articles captivating and easy to understand.
Stay ahead with our newsletter.
Subscribe Now
Latest Blog
Custom Made Illustrations for Blog Posts 2 03
Waterfall vs. Agile: Which Methodology Is More Efficient for Software Development?
Discover the ongoing debate between Waterfall and Agile methodologies in software development. Efficiency is crucial, and choosing the right approach can make...
Franceska Fajhner
Senior Technical Writer
Custom Made Illustrations for Blog Posts 2 01
Outsourcing Development Locally: 7 Benefits of Onshore Software Development
Discover the hidden advantages of onshore software development in this insightful article. Learn how partnering with local teams can enhance communication,...
Mina Stojkovic
Senior Technical Writer
Custom Made Illustrations for Blog Posts3 01
How Mobile Development is Changing the Face of Business
Discover the transformative power of mobile development for businesses in this must-read article. Learn how mobile apps are reshaping customer engagement,...
Franceska Fajhner
Senior Technical Writer
Related Articles
Types of Software Development
A Comprehensive Guide to Different Types of Software Development
This article discusses the importance of software development in today's technology-driven world and its various applications in different industries. It...
What is SDaaS
SDaaS: What is Software Development as a Service?
Discover the future of software development with SDaaS, a solution that offers flexibility, cost-efficiency, and access to top talent. Unlock your business...
Software Development Life Cycle Phases
Software Development Life Cycle Phases
Efficiently managing a software development project is crucial for a company's success. Understanding the different phases of the Software Development Life...

Frequently Asked Question

How do I onboard a software development company?
How do I choose a software development company?
What is software development outsourcing?
Why should I hire an offshore software development company?
What are the 3 relationship-based outsourcing models?
What are the 3 location-based outsourcing models?