Data Processing Agreement

Generate, share and e-sign in minutes

Legal Register

What is a Data Processing Agreement?

Whenever you commit to process data on behalf of a customer, a data processing contract should be entered into. This is also known as a Data Processing Agreement (DPA). The Data Processing Agreement lays out who is responsible for what, and the liabilities that exist if something goes wrong in the relation between data controllers and data processors.

A data controller/processor relationship generally arises where a prospective customer asks you, the software supplier, to carry out a service on its behalf. Carrying out this service might involve you processing personal data provided by the customer. In this relationship, the customer will be the data controller and you will be considered the data processor..

The data controller retains most of the regulatory obligations under GDPR but data processors are accountable under the law for how they process personal data. The Data Processing Agreement sets out rules and obligations for both groups and regulates the way in which they work together.

What is the purpose of a Data Processing Agreement?

Use this Data Processing Agreement (“DPA”) as a stand alone contract if you are going to be processing personal data on behalf of your customer and either: (a) your processing is happening before you put in place the other agreement; or (b) the existing agreement you have already signed does not contain data provisions.

What is the background to a Data Processing Agreement (DPA)?

In 2018 the European Union (EU) implemented the General Data Protection Regulation (GDPR). This is a law that protects the personal data of EU citizens by defining and enforcing their rights.

GDPR applies to any company that operates in the EU or any global firm that handles personal data in the EU.

The data processing agreement or data processing addendum is an integral part of GDPR compliance, you can check out our helpful GDPR checklist for SMEs.

Data Processing Agreements and SaaS

A SaaS supplier is legally obliged to include data processing terms in their SaaS Terms of Business or SaaS Master Service agreement (MSA) because it is virtually certain that the SaaS solution will involve some form of processing of personal data (even if such processing is extremely limited). 

For this reason our standard SaaS contract contains data processing (DP) terms.

What about sub processors that I might contract with?

You will have to ensure that any sub-processor you use as part of your service also adheres to data processing terms or a DPA. For that reason data protection provisions are included in all of our agreements whether you are procuring a consultant or another technology service provider.

Remember, if you’re appointing a sub-processor, you’ll not want to use this DPA.  This DPA is pro-processor.  So, when appointing a sub-processor you’ll likely want pro-customer terms.

What is a Data Processing Addendum?

A data processing addendum is another name for a data processing agreement.

What is a Data Processing Agreement not?

A data processing agreement is not a privacy policy. A privacy policy is a legal statement which describes how a company collects, processes and handles the data of its visitors and customers. If you need a you can find more details here

Why do I need a separate Data Processing Agreement?

Some contracts were struck before May 2018 when GDPR came into effect and it is simpler to sign a separate data processing agreement or DPA with your customers than to re-sign an existing contract.

Alternatively, if you are giving access to personal data before you go-live with your SaaS contract, you’ll need a DPA.

How does it work?

Select an agreement

Answer simple questions

Edit the generated agreement

Share and e-sign in seconds

Create your Legal Agreements in minutes

Save £000’s on legal fees
Legal agreements for software companies
Generate, share and e-sign in minutes

Need more Policies, Agreements or Certifications?

We do the heavy-lifting for you

Adoptech is a single platform that provides a full suite of products.

InfoSec Policies

Company Policies

Legal Agreements

ISO 27001 Certification

Some of the companies trusting Adoptech