A Data Processing Addendum (DPA) is a legal agreement that outlines the terms under which a third party, such as a service provider, processes personal data on behalf of a business or data controller. It ensures compliance with privacy laws like the General Data Protection Regulation (GDPR) by specifying data protection measures, processing purposes, security obligations, and rights of both parties. The DPA typically includes provisions on data retention, breach notifications, sub-processing, and audit rights to safeguard personal information. Businesses use DPAs to establish clear responsibilities and mitigate risks associated with data handling.
Instructions & Compliance
GDPR states that a data processor may only process personal data based on the documented instructions of the data controller, including when transferring data to a third country or international organization. If legal obligations require the processor to act outside of these instructions, they must inform the controller unless prohibited by law. This provision ensures that processors do not independently determine how personal data is handled, reinforcing the controller’s authority and maintaining compliance with GDPR standards.
Data Subject Rights
A DPA requires processors to assist data controllers in responding to data subject requests, such as access, rectification, deletion, and portability of personal data. The processor implements technical and organizational measures to facilitate these rights and ensure secure data handling. Additionally, the DPA often mandates timely responses to data subject inquiries and cooperation in regulatory investigations.
Personnel Requirements
Personnel with access to personal data under GDPR must commit to confidentiality or be bound by a statutory obligation of confidentiality, in addition to any other measures required by the controller. Other measures controllers consider either in a DPA or in separate security terms include background check requirements and annual privacy and security training.
Subprocessors
Under Article 28, a data processor may only engage a subprocessor with the prior specific or general written authorization of the data controller. If granted general authorization, the processor must inform the controller of any intended changes, allowing the controller to object. Additionally, the processor must ensure that the subprocessor meets similar data protection obligations outlined in the contract between the controller and processor. The processor typically remains fully liable to the controller for the subprocessor’s compliance, meaning any failure by the subprocessor to uphold GDPR standards is the processor’s responsibility.
Security Measures
A DPA often outlines essential security measures to protect personal data during processing, ensuring compliance with data protection laws and industry standards. These measures often typically include encryption to safeguard data in transit and at rest, access controls to limit data exposure, pseudonymization and anonymization techniques to reduce risk, physical security for data storage locations, and strong authentication procedures for system access. Security measures may be found in a separate security addendum attached to the contract, or contained within the DPA itself. Technical and organizational measures (sometimes referred to as TOMs) can also be found attached to the Standard Contractual Clauses contained in a DPA.
Security Incidents
There is a wide range of diversity in terms around security incidents in DPAs. Under Article 33 of the General Data Protection Regulation (GDPR), a data processor is required to notify the data controller without undue delay upon becoming aware of a personal data breach. This notification must include details such as the nature of the breach, the categories and approximate number of affected data subjects, potential consequences, and any mitigation measures taken. While the controller is responsible for reporting breaches to the supervisory authority within 72 hours, the processor’s role is to ensure swift communication so that appropriate actions can be taken. Obligations of controllers for security incidents varies by country, industry and the nature of the data, so many organizations request processors to report all actual or suspected security incidents to their team as part of the terms of the DPA. Other common terms found in these clauses include remediation requirements, cooperation clauses, investigation rights, frequency of communications, and publicity restrictions.
Audits
Audit provisions ensure that data controllers can verify compliance with privacy laws like the General Data Protection Regulation (GDPR). These clauses grant controllers the right to conduct audits or request third-party assessments to evaluate a processor’s security measures, data handling practices, and regulatory adherence. Some DPAs specify audit frequency, notice, scope, and cost-sharing arrangements to balance oversight with operational efficiency.
Transition Assistance
Processors are typically obligated to return or delete personal data at the end of the engagement. Some DPAs allow exceptions for audit, legal, backup or compliance purposes, ensuring data is retained only as necessary. Controllers often request a certificate of destruction or other assurances to document their compliance efforts.
CCPA Service Provider Terms
Under the California Consumer Privacy Act (CCPA), businesses must establish contractual agreements with service providers to ensure compliance with data protection regulations. These contracts must, among other things, explicitly state that the service provider must use the data only for the specified business purpose.
International Data Transfers
International data transfers are governed by strict regulations to ensure compliance with privacy laws like the General Data Protection Regulation (GDPR). When personal data under GDPR is transferred across borders, businesses must implement appropriate safeguards, such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or rely on adequacy decisions from regulatory authorities. Companies may also need to conduct transfer impact assessments to evaluate risks associated with data protection in the recipient country.
Indemnification
Indemnification obligations ensure that parties are protected against financial losses resulting from data breaches, non-compliance, or third-party claims. Indemnification clauses are heavily negotiated to balance liability and financial exposure, and not all DPAs have them. Typically, the data processor agrees to indemnify the data controller for some types of damages but this is an evolving area still. Some DPAs also require breach notification reimbursement and cyber insurance to mitigate risks.
Limitations of Liability
In a DPA, limitations of liability clauses define the extent to which parties are responsible for damages arising from data breaches, non-compliance, or other failures. These provisions often cap financial liability to a specific amount, such as the value of the contract or a multiple of fees paid. Some DPAs exclude liability for indirect damages, like lost profits or reputational harm, while others carve out exceptions for gross negligence or willful misconduct. Negotiating these terms is crucial, as businesses seek to balance risk while ensuring accountability for data protection failures.