What is the Meaning of DPA? 

The UK GDPR imposes a significant amount of regulation on all organisations in the UK (and often organisations outside the UK) in order to protect personal data. One of the core and often overlooked requirements of the UK GDPR is to put in place a data processing agreement (DPA) between data controllers and data processors (and sub-processors). A data processing agreement is a DPA. 

In other blog posts, we have explored some of the other documentation and polices that should be put in place within or between organisations. 

In this blog, we will explain the meaning of a DPA, set out its wider legal context and discuss the most heavily focused-on areas of a DPA when it is drafted or is being negotiated. 

DPA – legal background

There are two categories of organisations that process personal data. The category an organisation is in will govern what UK GDPR obligations apply to them.

The first category is that of a “controller”. 

The UK GDPR defines a controller as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

As the definition explains, a controller can be independent or can share responsibilities equally with other controllers (so called joint controllers). 

A processor is an organisation that processes personal data on behalf of the controller. Data processors are frequently large organisations like cloud service providers and IT support services, but it is not uncommon for smaller organisations to fall within the processor role. Digital marketing agencies, for example, often use their client’s staff’s personal data to deliver their services (e.g. designing a website with team members on it). That digital marketing agency would be a processor in that scenario.

DPA – what is it and why do I need it?

Article 28 of the UK GDPR states that controllers need to have a contract between them and their processors which contains particular clauses, to ensure that the processors are contractually bound and liable to the controller to follow their instructions and protect personal data. 

A DPA is a common form of this contract. It will contain the clauses required by the UK GDPR. These requirements are as follows:

1. That the processor processes personal data only on documented instructions from the controller.

2. Details about any international transfers.

3. That the personnel processing personal data are bound to keep personal data confidential.

4. That the processor takes the necessary technical and organisational measures to protect personal data.

5. That the processor only permits the onward processing of personal data by other processors (“sub-processors”) in certain circumstances.

6. That the processor assists the controller with the controller’s compliance with its UK GDPR obligations.

7. That, if requested by the controller, the processor deletes personal data at the end of the contract.

8. That the processor allows for audits by the controller of its compliance with its UK GDPR obligations as a processor. 

As set out above, commercial parties frequently choose to encapsulate these requirements in a DPA when a controller instructs a processor to process personal data on its behalf.

The DPA can be a separate document that can be agreed as a standalone contract. Alternatively, and more commonly, the DPA is linked or referred to in a wider commercial agreement (such as a SaaS contract or a contract for the supply of services). When the commercial agreement is executed, so is the DPA.

That is not to say that parties cannot just put the required clauses directly into commercial agreements and not bother with a DPA. This is less ideal because a fully considered agreement in respect of the UK GDPR required clauses between controllers and processors can be quite lengthy. A DPA can also be used across a variety of commercial agreements within one business (insofar as the subject matter of the commercial agreements are similar). 

The obligation to enter into a DPA rests with the controller of the relevant personal data. This is because the controller has the ultimate responsibility to comply with the UK GDPR and protect personal data. That said, it is common for organisations that are frequently data processors to have their own DPA that they use in their contractual agreements with their controllers (typically customers of a software product delivered over the internet). Whilst the UK GDPR sets out the minimum standard required, controllers have an interest in going further than what the UK GDPR provides to protect personal data, whereas processors, from a liability perspective, have an incentive to reduce their obligations to the legal and/or practicable minimum. 

A DPA is different from a ‘data sharing agreement’ or similar type of contract between controllers (whether they are independent or joint controllers). We have covered the aspects of such agreements elsewhere.

DPA – key clauses

Whilst all aspects of DPA are important, there are a few clauses that crop up in negotiation every time. 

Security measures

As set out above, a DPA must include clauses ensuring that the processor will implement the necessary technical and organisational measures required to protect the personal data being processed in connection with the DPA. 

That said, it is important that a DPA goes into some detail about what these measures actually are. The European Data Protection Board states:

‘The processing agreement should not, however, merely restate the provisions of the GDPR; rather, it should include more specific, concrete information as to how the requirements will be met and which level of security is required for the personal data processing that is the object of the processing agreement.’

It is common for the DPA to contain a ‘minimum standard’ of technical and organisational measures to protect personal data that the processor contractually agrees to put in place.

What might the minimum standard be? It depends on the type of personal data being processed. The test under the UK GDPR, applicable to all organisations, is that the technical and organisational measures are ‘appropriate’ to the risks associated to data subjects should something detrimental occur in respect of the integrity of the personal data (e.g. a personal data breach). 

Sub-processors

The UK GDPR sets out two options that controllers and/or processors have in respect of the appointment of sub-processors of personal data: 

• prior specific authorisation; or
• general written authorisation 

As the first option – prior specific authorisation – stipulates, the controller can be given the right in a DPA to have a choice over the appointment of any new sub-processor by the processor.

The second option – general written authorisation – if catered for in a DPA, would allow the processor the freedom to appoint such sub-processors as it sees fit provided that it gives the controller an ‘opportunity to object’ to new or changed sub-processors. How much of an opportunity is open to interpretation, but it is clear from the wording of the UK GDPR (and related legal guidance) that such opportunity must be realistic. Too short of a period in which an objection can be made is unlikely to be appropriate. 

A DPA should also state which sub-processors are, as of the date of the DPA, approved. 

Audit

The DPA must cater for a controller’s audit of the processor’s compliance with its DPA obligations.

The requirement under the UK GDPR is explicitly to ‘make available to the controller all information necessary to demonstrate compliance…and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.’

What this entails is normally heavily negotiated, as it is not fully clear under the UK GDPR or related guidance what exactly the requirement is. For example, it is permissible for processors to charge for their time spent on audits, but under the UK GDPR it is not permissible for these costs to be such that it would discourage the controller from actually carrying out an audit. 

Likewise, any requirement of ‘reasonableness’ or other limitations on the scope of the audit right could be problematic under the UK GDPR. 

DPAs and SCCs

As above, the DPA should set out the rights the processor has to export the personal data processed in connection with the DPA outside of the UK.

Exporting personal data outside the UK (whether an organisation is a controller or a processor) is restricted unless certain safeguards are in place. The main safeguard is a transfer of personal data to a third country that has been deemed adequate by the UK Government (e.g. the member states of the EEA). 

The other safeguard is the putting in place of ‘standard contractual clauses’ (SCCs) between the exporter and the importer which give data subjects additional rights to protect their personal data against the importer. 

Therefore, where a DPA is between a UK based controller and a processor based in a non-adequate country, it is common for the DPA to refer to the standard contractual clauses which can form part of the DPA. 

Conclusion

DPAs are an important part of UK GDPR compliance. If you need assistance putting in place a DPA or assessing whether you need to have one, please do not hesitate to contact our data protection experts Colin Lambertus and Neil Williamson directly or you can contact the firm here. 

Further Reading

Dutch DPA Fines Uber €290 Million for Unlawful International Personal Data Transfers

August 30, 2024

New ICO Guidance: Content Moderation and Data Protection

May 13, 2024

Data Protection Update: Data (Use and Access) Bill 

October 30, 2024