Left arrow button that can be clicked to navigate back to the previous page
All posts
An image related to the GDPR Data Processing Agreement (known as DPA)
GDPR spotlight: Data Processing Agreement (DPA)
January 1, 2025
3 minutes read

In this blog post

What is a Data Processing Agreement (DPA)?

Why is a DPA essential?

General Structure for a DPA

How Tillion Can Help

Further Considerations

Annex: DPA template

In today's data-driven world, ensuring the proper handling and protection of personal data is a critical concern for businesses. A key element in this is the Data Processing Agreement (DPA). This article explores what a DPA is, why it is essential, and how Tillion can assist companies in creating, managing, understanding and aligning their DPAs.

What is a Data Processing Agreement (DPA)?

A Data Processing Agreement (DPA) is a legally binding contract between two parties:

  • the data controller - the entity that determines the purpose and means of processing personal data; and
  • the data processor - the entity that processes personal data on behalf of the data controller.

The DPA outlines the obligations, responsibilities, and protocols the processor must follow to ensure the protection and lawful processing of personal data under privacy laws such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and others.

Examples for DPA requirements under GDPR and CCPA

GDPR: Article 28 specifically mandates the use of DPAs between controllers and processors, detailing the obligations for both parties, including security measures, sub-processors, and data subject rights.

CCPA: While the CCPA doesn't explicitly mention DPAs, Section 1798.140 (specifically 1798.140(j)(1) and 1798.140(ag)(1)) refers to the requirement for a written contract when a business is sharing customer’s personal information with a "Contractor" and a "Service provider".

Why is a DPA Essential?

  • Compliance with Regulations: Under laws like the GDPR, businesses are legally obligated to establish a DPA when working with third-party processors. It ensures compliance with data protection laws, preventing legal risks and penalties, which under GDPR can be as high as 4% of global annual turnover (Article 83 of the GDPR).
  • Clarifying Responsibilities: A DPA clearly defines the roles and responsibilities of each party involved, ensuring that both the controller and processor understand their duties in protecting personal data.
  • Mitigating Risk: By establishing security protocols and incident response procedures, a DPA helps minimize the risk of data breaches and ensures that both parties act swiftly in case of any data-related incidents.
  • Building Trust: For companies handling sensitive information, having a DPA in place signals to clients and partners that their data is handled with care and in line with legal requirements.

General structure for a DPA

While the specifics of a DPA depend on the business needs and jurisdiction, here’s a general template that can serve as a foundation:

  1. Introduction:
    • Names of the data controller and processor
    • Scope and purpose of the agreement
  2. Data Processing Terms:
    • Description of the data being processed (e.g., personal, sensitive, financial)
    • Legal basis for processing (e.g., consent, contractual necessity)
  3. Processor Obligations:
    • Compliance with relevant laws (e.g., GDPR, CCPA)
    • Implementing security measures (e.g., encryption, access control)
  4. Sub-processors:
    • Whether the processor is allowed to engage third parties (sub-processors)
    • Conditions for doing so (e.g., approval from the controller)
  5. Data Subject Rights:
    • Facilitating the data subject's right to access, correct, or delete their data (GDPR Articles 15-17; CCPA Sections 1798.100-1798.105)
  6. Data Security:
    • Technical and organizational measures to safeguard data
  7. Breach Notification:
    • Requirements for notifying the controller of data breaches (GDPR Article 33; CCPA Section 1798.150)
  8. Term and Termination:
    • Duration of the agreement and the conditions under which it can be terminated
  9. Governing Law:
    • The jurisdiction and applicable law governing the agreement (GDPR for EU-based businesses, CCPA for California-based businesses, etc.)

Note: You can find a DPA template as an annex to this article.

How Tillion Can Help?

Tillion offers businesses comprehensive support in navigating the complexities of DPAs. With expertise in data protection laws and industry best practices, Tillion helps companies:

  • Automated tailored DPAs that meet regulatory requirements and address specific business needs.
  • Review and audit existing DPAs to ensure compliance with updated legal standards like GDPR.
  • Provide automated tools to manage and monitor DPA execution, including tracking sub-processors and overseeing data processing activities.
  • Ensure seamless integration with third-party data processors, minimizing operational friction and ensuring compliance.

Further Considerations

  • Regular Updates: It’s important to periodically review and update DPAs to reflect changes in processing activities, data protection laws, or security measures.
  • International Transfers: If personal data is transferred outside of certain jurisdictions (e.g., the EU), additional safeguards may be needed to ensure the data is adequately protected.

DPAs are a fundamental aspect of modern data privacy. Businesses must approach them with diligence. By using Tillion, companies can navigate the regulatory landscape with confidence and ensure their data processing activities align with legal and ethical standards.

Annex: DPA Template

Note: the following Data Processing Agreement (DPA) template is provided as a general reference and is should not be considered as legal advice. This template may not capture all specific details relevant to your business or legal requirements.

Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") is entered into between:

[Company Name], located at [Company Address], (“Data Controller”),

and

[Service Provider Name], located at [Service Provider Address], (“Data Processor”).

Effective Date: [Insert Date]

1. Definitions

1.1. Personal Data: Any information relating to an identified or identifiable individual.

1.2. Data Controller: The entity that determines the purposes and means of processing Personal Data.

1.3. Data Processor: The entity that processes Personal Data on behalf of the Data Controller.

1.4. Sub-Processor: Any processor engaged by the Data Processor who agrees to receive Personal Data for processing activities on behalf of the Data Controller.

1.5. Applicable Data Protection Laws: All privacy and data protection laws, including but not limited to the GDPR, CCPA, and any other applicable legislation.

2. Purpose of the Processing

2.1. The Data Processor shall process Personal Data only for the following purposes: [Insert description of processing activities].

2.2. The Data Processor shall not process Personal Data for any other purpose without the prior written consent of the Data Controller.

3. Data Processing Terms

3.1. Categories of Data Subjects:

The Personal Data processed concerns the following categories of Data Subjects:

  • [e.g., Customers, Employees, Website Users]

3.2. Categories of Personal Data:

The Personal Data processed concerns the following categories of data:

  • [e.g., Name, Contact Information, Payment Information, IP Addresses]

3.3. Legal Basis for Processing:

The processing of Personal Data shall be based on one or more of the following legal grounds as required by applicable data protection laws:

  • Consent of the data subject
  • Necessity for the performance of a contract with the data subject
  • Compliance with a legal obligation
  • Protection of vital interests
  • Legitimate interests pursued by the Data Controller or a third party, provided such interests are not overridden by the data subject’s rights and freedoms.

4. Data Processor Obligations

4.1. Compliance with Laws: The Data Processor shall process Personal Data in compliance with all applicable laws, including the GDPR and CCPA.

4.2. Security Measures: The Data Processor agrees to implement appropriate technical and organizational measures to protect Personal Data from unauthorized access, disclosure, alteration, or destruction.

4.3. Confidentiality: The Data Processor shall ensure that all employees and other individuals authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.4. Sub-Processing: The Data Processor shall not engage any Sub-Processors without the prior written consent of the Data Controller.

5. Data Subject Rights

5.1. The Data Processor shall assist the Data Controller in fulfilling its obligations to respond to requests from Data Subjects to exercise their rights under applicable laws, including the right to access, rectify, erase, restrict, or object to the processing of their Personal Data.

6. Data Breach Notification

6.1. The Data Processor shall notify the Data Controller without undue delay after becoming aware of any personal data breach, including the nature of the breach, affected data, and any corrective actions taken.

7. International Data Transfers

7.1. The Data Processor shall not transfer Personal Data outside the European Economic Area (EEA) or other jurisdictions unless such transfers comply with applicable data protection laws, including the implementation of appropriate safeguards (e.g., Standard Contractual Clauses).

8. Duration and Termination

8.1. Duration: This DPA shall remain in effect for as long as the Data Processor processes Personal Data on behalf of the Data Controller.

8.2. Termination: Upon termination of the Agreement or the Data Controller’s request, the Data Processor shall either delete or return all Personal Data in its possession unless otherwise required by law to retain it.

9. Audit Rights

9.1. The Data Controller has the right to audit the Data Processor’s compliance with this DPA and applicable data protection laws upon reasonable notice and during regular business hours.

10. Indemnity and Liability

10.1. The Data Processor shall indemnify and hold the Data Controller harmless from any claims, fines, or damages arising from a breach of this DPA caused by the Data Processor’s negligence or failure to comply with applicable data protection laws.

11. Governing Law

11.1. This DPA shall be governed by the laws of [Insert Jurisdiction].

Signatures

Data Controller:

Name: ____________________

Title: ____________________

Date: ____________________

Signature: ____________________

Data Processor:

Name: ____________________

Title: ____________________

Date: ____________________

Signature: ____________________

Disclaimer

The content provided here is for informational purposes only and does not constitute legal or regulatory advice.

Tillion logomark and logotype
Copyright © 2025 Tillion, Inc.

We use cookies to improve your experience in our website. By visiting this website you agree to the use of cookies. You can disable cookies at any time by changing your browser settings. To learn more, please see our Cookies Policy.

Dismiss