When Do You Need a Data Processing Agreement?

DPA
Written By Nathalie Pouderoux

If your business uses any external tools or services that handle personal data, there is a reasonable chance you are required by law to have a specific type of contract in place with at least some of those providers. It is called a data processing agreement, it is a legal requirement under the UK GDPR and the EU GDPR, and it is one of the most consistently overlooked compliance obligations, particularly for smaller organisations and startups.

The good news is that once you understand when a data processing agreement is required and what it needs to contain, putting one in place is usually straightforward. This guide explains the key points clearly.

What Is a Data Processing Agreement?

A data processing agreement (DPA) is a legally binding contract between a data controller and a data processor. The controller is the organisation that decides why and how personal data is processed. The processor is the organisation that carries out the processing on the controller's behalf, following the controller's instructions, rather than determining the purpose themselves.

Article 28 of both the UK GDPR and the EU GDPR makes clear that whenever a controller engages a processor to handle personal data, that arrangement must be governed by a binding contract setting out specific terms. 

How Do You Know If Someone Is a Processor?

This is a question that causes genuine confusion, and it matters because it determines what type of contractual relationship you need. A processor is not simply any third party that comes into contact with your data. They must be processing that data on your instructions and for your purposes, not their own.

A practical example helps here. If you use a cloud-based HR system to manage employee records, the provider of that system is likely acting as a processor. They are storing and organising data that you input, following your instructions, without using it for any purpose of their own. If, however, you share that same employee data with a pension provider who then manages pension entitlements on behalf of your employees, the pension provider is more likely to be acting as a controller in their own right, because they are making independent decisions about how and why they process that data.

The ICO's guidance on controllers and processors provides a detailed explanation and worked examples if you need to work through a specific situation.

When Is a DPA Legally Required?

A DPA is required whenever you engage a processor to handle personal data on your behalf. Processing personal data through a third-party processor without the required contract in place is a breach of the law, even if you have a broader commercial agreement with that provider that does not specifically address data protection.

Common situations where a DPA is required include using a cloud storage or email hosting service, engaging an email marketing platform to send communications to your customers, using a payroll or HR management system, working with a web analytics or advertising tool that processes user data, using a customer relationship management system that holds client contact information, and outsourcing any customer support function to a team that will access personal data.

If you are unsure whether a particular provider is acting as a processor, a useful starting question is whether they could use the data you share with them for any purpose of their own. If they cannot, because they are contractually restricted to processing it only according to your instructions, then they are likely a processor and a DPA is needed.

What Must a DPA Actually Contain?

Article 28 sets out a specific list of provisions that every data processing agreement must include. The contract must specify the subject matter of the processing, its duration, the nature and purpose of the processing, the type of personal data involved, and the categories of individuals whose data is being processed.

Beyond that, the DPA must require the processor to process data only on documented instructions from the controller, ensure that all authorised personnel are bound by confidentiality obligations, implement appropriate technical and organisational security measures, assist the controller in meeting their data subject rights obligations, and delete or return all personal data when the contract ends.

The agreement must also address subprocessing. If the processor intends to engage another organisation to carry out part of the processing, they must obtain your written authorisation first, and any subprocessors must be bound by the same obligations through a contract of their own.

Does It Have to Be a Separate Document?

No, a DPA can be a standalone contract or can be incorporated into a broader service agreement, provided the required provisions are clearly set out. Many software and service providers have a standard DPA or data processing addendum that they make available to customers, either within their terms of service or on request.

You should always review any standard DPA carefully before accepting it. If a provider does not offer a DPA at all, or is unwilling to enter into one when you ask, that is a significant warning sign. It may indicate that they have not addressed their own data protection obligations, and it is worth reconsidering whether you should be using that service.

What About International Data Transfers?

If your processor is based outside the UK or the EU, or stores data on servers in a country that does not offer an adequate level of data protection, you will need additional safeguards in place on top of the DPA. In the UK, this typically means using the UK International Data Transfer Agreement (IDTA) or another approved mechanism. The ICO's guidance on international transfers sets out the options and explains when each one applies.

Where Should You Start?

A practical first step is to list all the third-party tools and services your business uses that involve personal data in any form. For each one, check whether a DPA is in place. If not, contact the provider and ask whether they have a standard DPA available and how to sign it. Most reputable providers will have one ready.

Once your agreements are in place, review them when you renew or renegotiate contracts, and update them if the nature of the processing changes significantly. If you handle large volumes of personal data or process sensitive categories of data, getting legal support to review your key agreements is a sensible step. Having the right contracts in place provides real legal protection if something goes wrong, and demonstrates to regulators that you have approached your obligations with genuine care.

How Can Gerrish Legal Help?

Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. 

We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements. 

We are here to help you, get in contact with us today for more information.

Nathalie Pouderoux
Next

Taiwan’s Artificial Intelligence Basic Act: A New Framework for Innovation