What Is a Data Processing Agreement - A Deep Dive in DPA

Vy Le

Vy Le | 26/07/2023

What Is a Data Processing Agreement - A Deep Dive in DPA

A company needs more than just personnel and infrastructure to perfect a software product. After all, the audience that uses the products and services of a business is customer-oriented. Activities such as customers’ last payments, their previous login website, etc., seemingly meaningless data bring the company unexpected valuable insights.

Although people nowadays know how to integrate ML (Machine Learning) into the security management system to optimize the security of the information apparatus, data loss still occurs for many reasons. That is why businesses need to pay attention to developing data processing agreements to avoid fines for non-compliance under several pieces of privacy legislation around the globe.

A data processing agreement acts as a crucial component of any data-driven operation to conduct obligations for entities handling personal data. However, what is a data processing agreement exactly? By providing all the necessary information about DPA, this article will clear up all your queries about this kind of agreement.

What Is a DPA (Data Processing Agreement)?

The data processing agreement, also known as the DPA, is a legally binding contract that outlines the data protection obligations and rights involved in data processing. This document type is typically entered into between a data controller like a company and a data processor, which could be a service provider.

The data processing addendum aims to regulate consumer data usage by companies, the scope and purpose of personal data processing, and the relationship between the two parties. More specifically, by setting clear expectations and data protection regulations regarding such personal data, DPA ensures only necessary and relevant data is collected and processed, thereby minimizing the risk of excessive data collection.

In some exceptional cases, the DPA may require the signatures of data subjects whose data is being processed, especially if their explicit consent is needed for certain types of processing activities. Any violation leading to data accumulation is considered a breach of contract, even a violation of the law after the signing of a data processing agreement has been completed. Therefore, to ensure ongoing data security and transparency and the interests of both parties, adhering to the details of the DPA is a necessary and sufficient condition.

Who Signs DPA & What Are Their Responsibilities?

Regardless of the names or the positions of data processing agreements signatories, they are divided into two main parties, including data controllers and data processors, with different roles and responsibilities.

Data Controller

While the specific responsibilities of data controllers may vary depending on the applicable data protection laws and regulations in different jurisdictions, the specific duties of data controllers generally revolve around managing, using, and protecting sensitive data.

The data controller is the entity or individual who determines the purposes and means of the processing systems. With the ultimate right to data processing procedures and intended use after obtaining the consent of the data subjects, they are responsible for ensuring such personal customer data is processed in compliance with applicable data privacy laws.

Because of the importance of the collected data, in addition to managing data lawfully, the data controller is also responsible for ensuring the accuracy and integrity of the personal data they hold to avoid data quality issues like outdated, inaccurate ones, etc., and analyze them into valuable information.

In case data subjects have requirements related to their data, such as access controls, rectification, portability, etc., data controllers are also responsible for handling them within the legally required timeframes.

Data controllers can be:

  • E-commerce company: An online marketplace on an e-commerce platform collecting customer data during their shopping behaviors and previous purchase processes can be considered a controller.
  • Social media platform: Facebook or Instagram collecting personal data from users for content personalizing, and targeted advertising acts as a controller.
  • Healthcare provider: Hospitals collecting and processing patient data for medical treatments are data controllers.

Data Processor

A third-party data processor is an entity or individual that processes personal data on behalf of the data controller. As such, data processors are responsible for acting under the instructions of the data controller and are obligated to all terms and conditions set forth by the controller in the data protection agreement, especially processing data only for the specified purposes and in accordance with the agreed terms.

The role of data processors typically involves various tasks related to the act of transferor, organizing, and processing personal data for a specific company. This party ensures technical and organizational measures work properly to optimize data protection against accidental access, destruction, alteration, or use.

Like data controllers, processors must also maintain the accuracy and up to date of data. At the same time, prepare timely infrastructure solutions to have customer personal data erased or corrected if it is inaccurate due to the data subjects’ rights.

Data processors can be:

  • Service provider: Companies like Orient Software provide outsourcing solutions for software development, storage, and processing of data on behalf of clients who act as data processors.
  • Marketing agency: Agencies handling customer data for marketing campaigns such as email marketing or targeted advertising can be considered processors.
  • Payment processing company: Organizations like Stripe or PayPal that process payment transactions and personal data related to financial transactions are data processors.

What Is the Relationship Between a DPA and GDPR Compliance?

GDPR (General Data Protection Regulation) is a data protection regulation that sets out the particular requirements for personal data processing within the European Union (EU) and the European Economic Area (EEA). This means that any organization that wants to target or collect data about the residents in the EU must follow the rules of GDPR compliance. By providing specific privacy and security laws, the EU ensures to protect individuals’ fundamental rights and freedoms.

On the other hand, DPA (Data Processing Agreement) is required under GDPR when a data controller cooperates with a third-party vendor to handle personal data on its behalf. As a means to operationalize and implement the principles and standards outlined in GDPR, establishing the DPA helps both parties gain a clear understanding of personal data processing, transparency, and accountability.

It is important to note that, due to this overlap, DPA is sometimes called a GDPR data processing agreement, but their functions are the same.

What Is the Example of DPA?

What Is the Example of DPA?

Any use case of information and sensitive data of people in the EU to serve the needs of developing products and services of enterprises requires the appearance of data processing agreements.

In fact, DPAs exist in more aspects of life than you think. Suppose an IT outsourcing company provides a billing software development service for an EU customer. For the software development process to go smoothly, the third-party vendor must collect the user data of the people here. In this case, the EU client, as the data controller provides a detailed DPA; the outsourcing company, as a data processor, is responsible for processing the customer’s data in compliance with GDPR policies.

What Are Essential Elements Include in Data Processing Agreements?

Because the DPA is of great importance to meeting the standards of data protection laws in the region and protecting individual rights, it is crucial that you build a data processing agreement with all of the following elements.

  • Parties involved: Data controllers and data processors are objects that should be clearly defined and named in the DPA.
  • Scope and purpose of data processing: Make sure you have fully covered the sub-elements like the nature, purpose, subject duration, processed data types, matter, etc.
  • Data protection obligations: This section outlines the obligations that both parties must comply with based on data protection laws, including the General Data Protection Regulation (GDPR) for EU residents’ data.
  • Rights and responsibilities: Outlining all responsibilities of the data controller (e.g., legal process establishing, end-users rights upholding) and data processor (e.g., information security maintaining, data breach reporting, audit permission).
  • Security measures: The DPA should detail the implementation of technical and organizational measures to ensure data security.
  • Sub-processing: If you use sub-processors to carry out certain processing activities, state that clearly in the DPA.
  • Data breach procedures: Including risk management methods in case a data breach occurs during the cooperation.

What to Do When a Data Breach Occurs?

The data controller and processor must always work together to ensure the highest level of security over consumer data. However, suppose personal data occurs due to reasons of force majeure or lax security of either party. In that case, it is the responsibility of all involved in the DPA to endeavor to prevent the spread of data.

As a first step, the data processor is required to notify the data controller immediately and cannot withhold such information under any circumstances. The data controller needs to stay calm and perform security analysis operations such as verifying the accuracy of information about personal data breaches, verifying information compromised types, the people affected number, and whether there is contact information for those people.

Note that if the data controller is an entity that discovers a data breach or potential risk, they are responsible for reporting to the proper supervisory authority within 72 hours of becoming aware of it. For data processors, there should not be any delay in informing the reach to the controller.

To limit the impact of the breach, both parties go to the most important stage of using all available solutions, technologies, and tools to contain and recover the data if possible. You may even need the help of data protection impact assessments (DPIAs) when required. In case the breach affects data subject rights, notifying affected individuals is a must.


To thoroughly eliminate security issues and limit unnecessary damages related to privacy laws, it is vital for all parties to carefully review the DPA, understand its terms, and ensure that they are willing to comply with the obligations outlined in the agreement.

The above data avoidance guidelines are general guidelines only for reference in most cases. However, the nature of the breach and the organization’s jurisdiction may be diverse. Businesses should consult with legal professionals like the cybersecurity outsourced team or relevant authorities for better guidance tailored to the specific situation.

We cannot deny the importance of DPA in maintaining software development security. However, the online data processing agreement can do nothing if you don’t have enough personnel with the expertise and tools to adhere to the common cybersecurity risks. If you are looking for a reliable third party, Orient Software, with full of a service package, is here to help your business grow. Leave us a message today.

Content Map

Related articles