horizons logo
Start hiring

What Is a Data Processing Agreement (DPA)?

data processing agreement

Hire borderless talent with Horizons

Key Takeaways

1. ‘DPA’ stands for ‘Data Processing Agreement’, which is a contractual agreement between a data processing company (data processor) and a company that collects data (the data controller). The DPA is required by law where the GDPR applies to that company. 

2. Many companies use a data processor to help them store and analyze the data that they have collected. The DPA allows companies to map out exactly how the data will be protected and securely stored so that they avoid data breaches.

3. GDPR does not only apply to companies that are based in the EU. Other international companies will be subject to GDPR compliance if they provide goods or services to EU residents or that track information about EU residents. This means that DPAs may apply internationally. 

4. The penalty for GDPR non-compliance can be significant. This includes a failure to sign or comply with DPAs. In the worst cases, up to 4% of a company’s global annual revenue or €20 million may be payable, whichever is higher.

Data is a highly valuable asset to the modern organization. But at the same time, the personal data held by that organization is of immense importance to the customers from who it was acquired. 

The European Union introduced the General Data Protection Regulation (GDPR) in order to provide individuals (“data subjects”) with more say in how their personal data is used, and to penalize companies for non-compliance. 

A key element of the GDPR is the definition of personal data: “Personal data” refers to personal details such as names, addresses, contact numbers, email addresses, or payment details. The GDPR defines personal information to include any information that can identify a person. Similar definition are used in privacy laws in other countries, such as Brazil’s LGPD and China’s PIPL

In order to ensure GDPR compliance, as well as to protect the value that data brings to their organization, companies need data protection plans setting out how data will be controlled and processed. In turn, an important part of developing a data protection plan is ensuring that a Data Processing Agreement (DPA) is implemented. This is not only a method of mitigating the risk of a data breach but it is also required by law.

It has been said that the DPA does not automatically protect a company’s data, nor protect against non-compliance: If the DPA is not accurately drafted, it may not stand up in court if a data breach occurs. Therefore, it is crucial that organizations create robust DPAs that protect them and the data they send to and receive from other companies.

As an example of the crippling fines that companies can receive for non-compliance, consider the report below from Euronews on Whatsapp’s €225 million GDPR fine in early 2022. 

What is a DPA?

“DPA” stands for “Data Processing Agreement”. A DPA is a legal agreement between the data controller and the data processor that both must sign to comply with GDPR.  The Data Processing Agreement is in place to avoid data breaches and to ensure that people’s personal data is kept secure and that it is not exposed to abuse.

As EU data privacy law applies to companies that handle data of EU citizens and residents regardless of whether the organization is EU-based, DPAs are an important consideration for companies anywhere. Implementing robust data protection strategies, such as those outlined in a DPA, is essential when considering removing your online digital data to maintain compliance and safeguard privacy.  For example, companies that use software to track cookies or IP addresses of individuals from EU states will be subject to GDPR.  Similarly, companies that provide goods and services to EU customers should also be GDPR-compliant.

Key to the Data Processing Agreement are the concepts of the ‘data controller’ and the ‘data processor’. The ‘data controller’ is a company that owns, uses, and collects the data, and the ‘data processor’ is a third-party company that helps to store, analyze or communicate personal data. The data controller is responsible for finding a trustworthy and reliable data processor to use the data in a way that is compliant with the law.

The DPA is a contractual agreement between the controller and the processor and will outline the rights and responsibilities of each party to the agreement in line with Article 28 of the GDPR section 3:

“Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”

Within the Data Processing Agreement, the processor must agree to process the personal data held by the controller. Both parties must agree:

  1. That the data will be treated with appropriate confidentiality
  2. That technical measures will be taken to protect the data, and
  3. That the processor will not subcontract to another processor without the controller’s permission.

Both parties will be subject to GDPR obligations and the processor must agree to delete personal data when they stop working for the controller. The processor is obligated to help the controller remain compliant with GDPR laws. 

Why do you need a DPA?

Many companies will use third parties to store and process data, for example, email or cloud storage services. This means that the data that there is an opportunity for misuse of personal data by that company. For example, that company might use email addresses to directly market to customers who never agreed to their email addresses being used in that way.

The GDPR laws are in place to protect people’s data and having a DPA is the main part of ensuring compliance with the law. For companies that are considering expanding to international markets, it is important to consider whether EU residents will receive the goods or services that the company offers and whether any EU personal data will be gathered and passed on to third parties.

Under GDPR, the data subject (the person whose data is used) has a number of rights including the right to restrict the processing of data and the right to erase data. Since data is so valuable to companies and people have the right to restrict companies from using it, it is in their best interests to ensure that people’s personal information is sufficiently protected. If you’re considering tools to achieve this, exploring a OneTrust review can be a wise first step.

What happens if a DPA is not in place?

As mentioned already, GDPR fines can be issued for those who do not comply with the regulations. Violations in relation to more minor infringements may result in fines up to 2% of the organization’s global revenue or €10 million. For more serious violations, companies may have fines of up to 4% of the company’s global revenue or €20 million, whichever is higher. In addition to fines, ‘judicial remedies’ (such as injunctions) may be applied. It is also possible for any data subjects whose rights are infringed to bring claims for compensation. 

With respect to date processing agreements, there may be penalties both for the data controller (e.g., if they do not have a Data Processing Agreement in place), and the data processor (if they fail to follow it). 

With respect to fines, a data protection authority (the regulator in a specific country or state) will use certain criteria to establish what fine will be appropriate: They will assess the gravity and nature of the infringement, the damage suffered, and how long it took to resolve. They will consider whether the infringement was intentional or whether any action was taken to try and mitigate the risk. In addition, precautionary measures will be looked into including whether the company tried to put things in place to maintain compliance. If for instance, there had been previous infringements, it is likely that the organization has not tried to mitigate future risk of exposure. The fine will also be dependent on the type of personal data that has been exposed and whether it was proactively reported.

Companies must choose a data processor carefully as, in some cases, they may be liable for any infringements that are committed by the processor.

Horizons takes data processing seriously 

At Horizons, we understand that data protection is extremely important, especially when the GDPR comes into play. As a global professional employer organization (PEO), we handle the processing of employee personal information, and we ensure that Data Processing Agreements are in place, where necessary, and that all other aspects of GDPR compliance are satisfied. 

If you are interested in hiring internationally, in full compliance with GDPR and other data processing laws, please get in touch with one of our global hire experts. 

Frequently asked questions

A Data Processing Agreement (DPA) is required for all companies under the jurisdiction of the GDPR that process personal data, or pass personal data onto third parties for processing.

You could be liable for hefty fines, compensation, or ‘judicial remedies’ such as injunctions.

Hire borderless talent with Horizons

Related insights

Get started with Horizons