Data Processing Agreement (DPA): What’s for and how it works

Since 2018 when the GDPR entered into force, all business entities, natural persons, and governmental agencies should keep constantly in mind and observe the rules and principles on data privacy which it prescribes. Well, it depends of course, but one cannot argue, that General Data Protection regulation became a revolution.

So, under the GDPR all persons or entities directly interacting with the Personal Data are divided into the following categories:

  • data subject
  • controller
  • processor
  • third party;)

The data subject is any identified or identifiable person whom personal data may be carried out only on the legal basis (performance of a contract, consent, public interest, protection of vital interest, compliance with a legal obligation and legitimate interest) by the controller who determines the purpose and methods of data processing.

Then to process this data, the controller needs the help of the processor. The last one processes the data according to the controller’s directions. The issue arises at the stage of transmitting the privacy data from the controller to the processor.

Let’s imagine the following situation: you are the owner of the flower shop who legally obtains the personal information (name, date of birth, address of living, favorite flowers, and other contact information) from its clients. You are going to make a great sale and need a specialist to make an electronic notification of the event. Your friend recommends a great professional with whom you conclude a gentleman agreement (there’s no written legal obligation because you trust your friend). Unfortunately, at some point happens a breach in the system due to the negligence of that specialist and the information of all your customers’ leaks. You lose money and probably a friend as well as the trust of your clients. Then you’d like to sue that specialist, but your claim cannot be supported by any tangible evidence as the concluded agreement was oral.

Now, what could be done to avoid such a situation?

First of all, it becomes obvious that any flow of information between the controller and the processor must be governed only by the written agreement- Data Processing Agreement which an essential element of their relationships, and is a legal requirement. In this case, GDPR does not make any difference between small businesses run by one person and large corporations.

What should be covered by the DPA (Data processing agreement)?

The DPA must include all the terms defined in articles 28-36 of the GDPR.  But the most important provisions regard the subject matter and obligations of the contracting parties.

  1. The subject matter

To comply with the requirements of the GDPR the subject matter should be described in details: the categories of the data to be transferred and, if exists, special categories of data. This information usually is described in the annex to the main agreement.

  1. Obligations of the controller and the processor under the GDPR


  • obliges to carry out the transfer of the personal data in accordance with the relevant provisions of the applicable data protection law.
  • obliges to instruct the data processor to process the personal data transferred only on the controller’s behalf and for the purposes established by the latter.
  • obliges to guarantee that the processor takes all the appropriate security measures to protect the personal data.
  • obliges to make available to the data subjects upon their requests a copy of the DPA. If the DPA contains the commercial information, the controller may remove it.


  • obliges to act only upon the instruction of the processor.
  • provides all the technical and organizational security measures necessary for ensuring the protection of the personal data. These measures should be fixed in the annex to the DPA. For example, pseudonymization, anonymization, NDA with employees as well as internal security policy, entry control system, and any other measures taken by the processor.
  • obliges to notify the controller on the legally binding request for disclosure of the personal data by a law enforcement authority; on any accidental or unauthorized access and any request from the data subject.
  • obliges to engage the sub-processor only upon the agreement of the controller.
  • obliges to erase or return the personal information obtained from the data controller after the performance of the agreement

The parties agree that on the termination of the provision of data-processing services, the processor and the sub-processor shall, at the choice of the controller, return all the personal data transferred and the copies thereof to the controller or shall destroy all the personal data and certify to the controller that it has done so unless legislation imposed upon the processor prevents it from returning or destroying all or part of the personal data transferred.”

So, after the performance of the necessary operations prescribed by the controller, the processor may in no case use the given data for any other purposes. If the respective legislation prohibits the erosion or returning, the controller may leave the given data provided that it will guarantee the confidentiality of the transferred data and will not actively process it anymore. This provision is of utmost importance and must be always included because it ensures the data subject’s rights- the right to be forgotten.

  • obliges to keep records of the processing agreement, to comply with the principle of accountability: to be able to present these records to the supervisory authority at its request.

The foregoing provisions are the core of any DPA, so you might add any other requirements to ensure the best protection of the personal data.

What about the liability?

Generally, the obligation to refund the compensation for the breach lies on the controller.

The parties agreed that any data subject who has suffered damage as a result of any breach of the aforementioned obligations by any party or sub-processor is entitled to receive compensation from the controller for the damage suffered.”

Although, should the processor disobey the instructions given by the controller for data processing, the processor will have become a controller at least to the extent of the breach of the controller’s instructions. So, the processor may be regarded as a controller who acts unlawfully. But still, the initial controller must give explanations of why he didn’t ensure effective control over the processor actions.

Another issue, which may arise, is when the controller has factually disappeared, ceased to exist in law, or become insolvent. Then the processor must be responsible for compensation for the damages. However, if there is a successor entity (by contract or by law) assuming the entire legal obligations of its predecessor (controller), then it, not the processor, deemed legally bind to refund the damages. But it all depends of course.

What the DPA says when the controller and the processor may not be liable?

There might be a situation when the data subject is not able to bring a claim against the controller and the processor. Then the data subject may file a claim against the sub-processor. Nevertheless, such liability is limited only to its processing operations under the DPA. Therefore, the sub-processor takes no responsibility for the actions of the controller and of the processor.

Is the GDPR the only legal framework to keep in mind to create a great DPA?

While drafting the DPA, it is obligatory to make it in accordance with the Standard Contractual Clauses (SCC) adopted by the Commission of the EU which offers sufficient safeguards on data protection for the data to be transferred internationally.

It has so far issued two sets of standard contractual clauses for data transfers from data controllers in the EU to data controllers established outside the EU or European Economic Area (EEA). It has also issued one set of contractual clauses for data transfers from controllers in the EU to processors established outside the EU or EEA. The SCC may not be reduced.

The parties may add clauses on business-related issues as long as they do not contradict the DPA. Furthermore, in addition to the DPA the controller and the processor may, but not obliged to, establish code of conduct or certification mechanism “to enhance transparency and compliance with this Regulation”.

In conclusion, the DPA is not merely a legal formality, it is an effective tool for protecting the interest of all the concerned parties. Furthermore, the DPA is an inevitable part of the controller-processor relationships which guarantees the safety and confidentiality of the personal data as well as ensures fair compensation for the data subject and fair division of liability between the controller and the processor.

    Your question to IT lawyers