Data Processing Agreement

A Data Processing Agreement in the United States sets out the rights, duties and consideration binding the parties to it.

DPAs are mandated by several privacy regulations. The EU General Data Protection Regulation (GDPR) Article 28 requires controllers to have a written contract with any processor that handles personal data on their behalf. The California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), require businesses to enter into agreements with service providers that include specific contractual provisions about data use and protection under California Civil Code Section 1798.100 et seq. The Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and other state privacy laws enacted since 2021 contain similar requirements.

The DPA is distinct from a privacy policy (which discloses data practices to consumers) and a data collection consent form (which obtains individual consent). Instead, it governs the business-to-business relationship regarding data handling. Without a DPA in place, both the controller and processor face regulatory enforcement, fines (up to 4% of annual global turnover under GDPR or $7,500 per intentional violation under CCPA), and civil liability for data breaches.

A Data Processing Agreement is required in the following situations: when a business uses a third-party cloud service provider (AWS, Google Cloud, Azure) to store or process customer personal data; when a company outsources payroll processing, HR functions, or benefits administration to a service provider; when a business uses a CRM platform, email marketing service, or analytics tool that processes customer data; when a healthcare organization shares protected health information (PHI) with a business associate, which also requires a HIPAA Business Associate Agreement; and when a company uses a third-party customer support, call center, or chat service that accesses personal data.

Additional scenarios include engaging IT consultants or managed service providers who access company systems containing personal data, using third-party payment processors that handle financial data, working with marketing agencies that manage customer databases, and contracting with data analytics firms that process behavioral or demographic data.

Operating without a DPA exposes both parties to significant legal risk. Under GDPR, the absence of a DPA is itself a violation of Article 28, independent of any actual data breach. Regulatory authorities have issued fines specifically for the failure to have adequate data processing agreements in place. In the United States, the FTC has taken enforcement action against companies that failed to contractually require adequate data protection from their service providers.

A compliant Data Processing Agreement must include the following elements:

Subject matter and duration -- a description of the processing activities, the categories of personal data being processed, the categories of data subjects, and the duration of the processing.

Nature and purpose of processing -- the specific purpose for which the processor handles personal data (e.g., cloud storage, analytics, payment processing), and a restriction that the processor may not process the data for any other purpose.

Processor obligations -- the processor's duty to process data only on documented instructions from the controller, to maintain confidentiality, to implement appropriate technical and organizational security measures (as specified in GDPR Article 32), and to assist the controller in responding to data subject rights requests.

Sub-processing restrictions -- whether the processor may engage sub-processors, the requirement for prior written consent from the controller, the obligation to impose the same data protection requirements on sub-processors, and liability for sub-processor actions.

Security measures -- specific technical and organizational measures the processor must implement, including encryption, pseudonymization, access controls, regular security testing, and incident response procedures.

Breach notification -- the timeline and procedure for notifying the controller of a data breach (72 hours under GDPR Article 33), the information that must be included in the notification, and the processor's obligation to assist with breach investigation and remediation.

Data subject rights assistance -- the processor's obligation to assist the controller in fulfilling data subject requests for access, rectification, erasure, data portability, and restriction of processing.

International data transfers -- if data will be transferred outside the EEA (for GDPR) or outside the jurisdiction of origin, the legal mechanism for the transfer (Standard Contractual Clauses, adequacy decisions, binding corporate rules, or the EU-U.S. Data Privacy Framework).

Audit rights -- the controller's right to audit the processor's data protection practices, including on-site inspections and review of security certifications (SOC 2, ISO 27001).

Data return and deletion -- the processor's obligation to return or delete all personal data upon termination of the agreement, and certification of deletion upon request.

Liability and indemnification -- allocation of liability between controller and processor for data breaches, regulatory fines, and data subject claims.