What is a Data Processor Agreement?

A Data Processing Agreement (DPA) is a requirement under GDPR and data protection legislation. It is an agreement between a data controller and the organisation working on their behalf, the data processor. It sets out how the data processor will work on the data controllers’s behalf. This can include information about security controls, retention and the use of sub processors.

Who needs a Data Processor Agreement?

Data protection legislation and GDPR require a data processor agreement to be in place when an organisation contracts with another organisation to work on their behalf with the personal information they have gathered. There are some common industries who work as data processors such as IT support, HR support, Virtual assistants, payroll companies, paperwork storage facilities.

What does a Data Processor Agreement have to say?

The General Data Protection Regulation (GDPR) sets out what the data processor agreement should contain. There should be clauses about security, auditing, confidentiality amongst other things. If you would like a checklist of what should be in an agreement, email us at askme@gdpradvisorsuk.com and we’ll send one to you.

Does a data processor agreement have to be in writing?

It is expected that the data processor agreement will be in writing but it can take many forms, such as an email setting out the obligations, it could be included in terms and conditions, or could be a formal contract.

Where can I find a data processor agreement?

We have employed a lawyer to create a data processor agreement which can be tailored to your circumstances. This data processor agreement comes with highlighted text and options which you can tailor for your business. If you get stuck using it, you can give our helpline a call and someone will talk you through the options.

If you need to talk through whether you are a data processor or how to manage a data processor, please give us a call and we'll take you through it.