Free Template Data Processing Agreement
| Sieuwert van Otterloo |
A data processing agreement(DPA) is required under GDPR when one organisations shares its personal data with a supplier or business partner. We created a free template that contains all required elements for a basic data processing agreement.
What is a data processing agreement
Most companies handle personal data in some form, and therefore have to adhere to the General Data Protection Regulation (GDPR, Dutch: AVG). One of the principles of GPDPR is that the data must be protected with adequate security measures. The data processing agreement is an agreement between two organisations that share personal data with each other. The data processing agreement contains specific clauses to keep the protection in place. In addition, the data processing agreement contains clauses to ensure data is used for the right purposes and that parties collaborate with audits. A data processing agreement is mandatory when personal data is exchanged. You can be fined if you exchange data before a data processing agreement is in place.
A data processing agreement can be a separate agreement, or an appendix to a larger contract. Some companies have a standard data processing agreement. In other cases, a custom data processing agreement is needed. Our template can be used for making such a data processing agreement.
Controller and processor
A data processing agreement contains two roles:
- a controller that determines the means and purposes of the data processing
- a processor that handles the data based on instructions of the controller.
In many cases, the supplier is a processor and the client/customer is the controller. This is however not required: in some cases that supplier determines the means and purposes and is therefore the controller. An example would be a case where a shoe factory asks a market research company to collect market information via a survey. The party that chooses the survey questions, survey tools and correspondents is the controller. This can be either the market research company, or the shoe factory depending on the nature of the main agreement between the two parties.
Note that is some cases, organisations decide together on the means and purposes, e.g. two cities that collaborate. In that case, a controller-controller agreement is needed and this template should not be used.
Details to be filled in
It is necessary to fill in some basic details on what personal data is processed. You need to specify for what service the data processing is for, what goal the processing has (e.g. delivering a service, innovation, preventing fraud) and what data is shared. You can typically copy this information from the register of processing activities of the controller. Both parties must have a register where these details are listed. The processor should include this activity in their register.
Standard clauses in a data processing agreement
The template contains a few standard clauses that are required in any data processing agreement. These should not be altered. They include that parties will adhere to GDPR, take appropriate measures, report data breaches and cooperate with an audit. It also includes a clause that any employee that has access to personal data must sign a non disclosure agreement. It also poses limitations to the use of subcontractors.
The basic template and many data processing agreements state that parties will take ‘appropriate technical and organisational security measures’, without specifying what these measures are. It is allowed to specify what these measures are. You could think of information security certification, regular PEN-tests, backup policies and encryption. We have a series on articles on ISO 27002 security measures that are often included in this section.
image by pawel-czerwinski via unsplash
Dr. Sieuwert van Otterloo is a court-certified IT expert with interests in agile, security, software research and IT-contracts.