Skip to main content
Legal
    Request a Demo
    Data Processing Agreement

    What is a data processing agreement?

    A data processing agreement (DPA) is a legally binding document between two parties where one instructs another to perform information actions on their behalf.

    ''
    Table of Contents
    Table of Contents

    A data processing agreement or addendum (DPA), or data processing exhibit, is a legally binding document that describes an arrangement between two organizations where one instructs the other to perform information operations on their behalf.

    A data processing agreement almost always entails a third party processing personal data. For this reason, data protection agencies have strict rules governing data processing agreements. These agreements are commonly between a controller (typically a company) and a processor (typically a third-party service provider), or may also involve a processor (third-party service provider) and a subprocessor (another third-party service provider or outside contractor), sometimes referred to as a subprocessing agreement.

    If unsure whether you need a data processing agreement, you most likely do, and there could be dire consequences for not having one.

    Why is a data processing agreement important?

    Data processing agreements are important because data protection laws require an agreement whenever a controller instructs a processor or whenever a processor instructs a subprocessor to process personally identifiable information.

    There may be severe consequences if a controller instructs processor to process personal data if they fail to have a data processing agreement in place. For instance, some organizations have received fines too great to recover from.

    It’s important for an organization to understand data processing agreements regardless of what activities are happening within the processing chain because data processing agreements affect your organization at all levels. For example, if you are a subprocessor, the agreement between the controller and processor will get passed to you by a subprocess review, so it is still going to affect you regardless of what role you play in the chain.

    How do you benefit from having a data processing agreement?

    Having a data processing agreement (DPA) is a legal requirement in many jurisdictions. Data protection laws generally require a controller to have a DPA in place whenever they use a processor and whenever the same processor uses a subprocessor. Without a DPA in place, you could receive fines from regulatory authorities if they deem one was required.

    The data processing agreement protects the interests of all the parties involved by making sure each organization in the processing chain operates in compliance with relevant data protection laws and holds up its end of the bargain.

    Data processing agreements help organizations meet certain minimal requirements for inclusion and protect data subjects through a system of checks and balances between the controller and processor or the processor and the subprocessor.

    DPAs can also help you with information security. Many companies use third-party services to respond to data breaches, leaks, or other security incidents quickly, comprehensively, and effectively. Without the necessary paperwork to get immediate assistance from your processors or subprocessors, your company may not be able to perform the necessary actions to adhere to certain information security requirements.

    What should be included in a data processing agreement?

    Processors often provide their own version of a Data Processing Agreement that are tailored to the kinds of services they provide. It’s important that your DPA include the following components:

    • The subject matter and duration of the processing
    • The nature and purpose of the processing
    • The type of personal data and data subject categories
    • The controller’s obligations and rights
    • The processor’s obligations and responsibilities

    Data processing agreement and GDPR.

    The General Data Protection Regulation (GDPR) is considered the toughest privacy and security law in the world. It determines what companies can do with people’s data in Europe. Companies such as Amazon, WhatsApp, Google, and Facebook have been fined more than $1 billion collectively for not complying with GDPR regulations.

    GDPR requires a data controller and a data processor to have a contract in place when data processing occurs. To satisfy this GDPR requirement, companies should ensure they have in place a DPA to document how personal data will be processed. The DPA should include:

    • Type of personal data being processed
    • Duration of the information being processed
    • Nature and purpose of the processing
    • The controller’s obligations and responsibilities
    • The processor’s obligations and responsibilities
    • A legally valid transfer mechanism, such as the EU Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs) or another legally accepted framework, that enable the legal transfer of personal data outside of Europe to a geography not considered “adequate” by the European data protection authorities.

    Requirements for the data processor should include:

    • Following the controller’s instructions
    • Keeping data confidential and secure
    • Data breach notifications
    • Ensuring compliance from all parties
    • Allowing controller audits

     

    This content is provided for general informational purposes only and does not constitute legal advice. While it reflects common industry definitions, Workday’s contractual approach may vary depending on specific customer relationships and governing terms.

    Please accept cookies to continue.

    This content is blocked due to your cookie preferences for this site. By clicking here, you accept YouTube's Terms of Service and Privacy Policy. Workday will save your choice in a session cookie.