Knowledge Hub
for Growth


What is a Data Processing Agreement?

A Data Processing Agreement (DPA) is often used by UK businesses alongside a master service agreement or other similar agreements. DPAs are required when the contracted services provided involve the supplier processing personal data on behalf of the customer. This is to ensure that both parties comply with their obligations under UK GDPR and the Data Processing Act.

In this guide we look at the common clauses a DPA is likely to contain and whether you should accept a DPA provided by a supplier. For assistance drafting, reviewing and negotiating a DPA and what to look out for when contracting with third-party service providers, speak to our knowledgeable team of data protection lawyers.

What is a Data Processing Agreement (DPA)?

A Data Processing Agreement (DPA) is a contract that is usually entered into between the Controller and the Processor.

Who is a Controller?

A Controller is a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Article 4(7) of the GDPR). Essentially Controllers make decisions about processing activities.

Who is a Processor?

A Processor is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller (Article 4(8) of the GDPR). Essentially Processors act on behalf of the Controller and under their instructions and authority.

When do you need a DPA?

In short, it’s whenever a Processor conducts any processing on your behalf. According to the Information Commissioners Office, contracts between controllers and processors ensure they both understand their obligations, responsibilities, and liabilities. Contracts also help them comply with the UK GDPR, and assist controllers in demonstrating to individuals and regulators, their compliance as required by the accountability principle.

If your organisation is subject to the General Data Protection Act (GDPR), then it’s pertinent to have in place a DPA with all your data processors. Article 28 of the GDPR sets out what should be included within the DPA (see below; “what are the common clauses?”).

Should a Processor use another company to assist in processing activities for the Controller client, it would need to ensure it has a DPA (DPA – Processor to Sub-Processor) in place with that Sub-Processor. The terms of that DPA should offer an equivalent level of protection for the personal data as does the initial DPA between the Controller client and the initial Processor. It’s the Processor’s responsibility that any other Sub-Processor(s) in the chain complies with the requirements of the GDPR and conform to the same level of protection as the initial Controller and Processor. A Processor may not instruct a Sub-Processor without the Controller client’s prior specific or general written authorisation.

The DPA would explain the responsibilities, liabilities, and obligations for all involved parties to the said agreement to act upon, to ensure processing tasks are carried out in accordance with the UK GDPR.  DPA’s also assist in demonstrating compliance as per the accountability principle.

What are the Common Clauses?

Article 28(3) of the GDPR sets out the clauses required in a DPA: -

  • The Processor only processes personal data on documented instructions from the Controller;
  • The Processor must ensure persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • The Processor must implement technical and organisational measures to ensure a level of security appropriate to the risk, as per Article 32 of the GDPR;
  • The Processor will not subcontract to another Processor unless instructed to do so in writing by the Controller. The same requirements should be set out in the Processor-to-Processor DPA as set out in the DPA between the Controller and the Processor;
  • The Processor will assist the Controller by supporting their obligations under the GDPR, insofar as possible, concerning data subjects’ rights as per Chapter 3 of the GDPR;
  • The Processor will assist the Controller in maintaining compliance with regard to Article 32 - security of processing and Article 36 - consulting with the data protection authority before undertaking high-risk processing;
  • The Processor agrees to return or delete all personal data upon the termination of services; and
  • The Processor must allow the Controller to conduct an audit and provide whatever information necessary to demonstrate compliance.

Furthermore, a DPA should stipulate:-

  • subject-matter and duration of the processing;
  • the nature and purpose of the processing;
  • the type of personal data; and
  • categories of data subjects.

The above are the minimum requirements essential in a DPA, but a DPA would not be complete without the relevant annexes, which would include the following:

  • The Processors’ technical and organisational measures, that demonstrates its’ ability: to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; andfor regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
  • List of Sub-Processors
  • Any applicable standard contractual clauses that apply to cross border transfers, for example the EU Standard Contractual Clauses

Do you need a bespoke DPA, or can you rely on your third-party service provider’s DPA?

You should never blindly accept the Processor’s version of DPA, the same way a Processor would never accept the Controller’s version of DPA. Like any contract, the drafting party would always draft in a way that it’s pro-them. Whilst the above clauses must be contained in the DPA, it’s necessary to check the details of the clauses. For example, how would you know the technical measures that the Processor has put in place are appropriate to the personal data they are processing for you? It’s likely that you would want a cyber security professional to cast an eye over these. There may be other due diligence that you may wish to conduct, such as checking if any breaches have previously occurred, when and how, as well as any preventative measures put place, so this doesn’t happen again. If this is an area of concern, here we discuss in more detail what to do if your supplier has a data breach.

Whether you are the Controller needing a Processors’ DPA to be checked, or a Processor needing the Controllers version to be checked, our specialist data protection solicitors can assist in evaluating the actual risk against the nature and purpose of processing and provide specific advice in drafting of templates or checking DPA’s from the otherside to ensure they are satisfactory to the level of risk.

About our expert

Becky White

Becky White

Senior Data Protection & Privacy Solicitor
Becky is a highly experienced commercial lawyer, specialising in Data Protection and Privacy Law matters. She trained in at DAC Beachcroft in the City of London nearly 20 years ago, and then spent most of her career working in-house as the senior or sole legal adviser in a variety of sectors including Construction and Engineering, Oil and Gas, Government and Recruitment.


What next?

Please leave us your details and we’ll contact you to discuss your situation and legal requirements. There’s no charge for your initial consultation, and no-obligation to instruct us. We aim to respond to all messages received within 24 hours.

Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.


Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
Floor 2, Cubo, 38 Carver Street, Sheffield, S1 4FS
A national law firm

Like what you’re reading?

Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.

Subscribe


To access legal support from just £140 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry