+44 (0) 121 582 0192 [email protected]

What Are Data Processing Addendums (DPAs)?

Data Processing Addendums (DPAs) are instructional contracts between the Controller and Processor outlining how to process and secure the Controller’s data. DPAs are critical to ensuring third-party compliance and are required under UK  GDPR.

In this article, we answer:

What is a DPA?

When is a DPA required?

Why are DPAs important?

Where can I get help with a DPA?

What is a DPA?

A Data Processing Addendum is a document designed to legally compel a third-party vendor (data processor) to adhere to specific data privacy legislation when processing personal data your organisation (data controller) is responsible for.

According to UK GDPR, Section 3, DPAs must include the following stipulations:

  • Processors must be GDPR compliant and respect data subjects’ rights
  • Processors must not process personal data without written instruction from the data controller
  • All parties must observe confidentiality
  • Processors must take all appropriate technical and organisational measures to secure personal data
  • Processors must not subcontract without written instruction from the data controller
  • Processors must delete all personal data when services are completed
  • Processors must let the controller conduct audits and be cooperative

When is a DPA required?

Under GDPR,  a Data Processing Addendum is needed when:

  • A Controller outsources data processing to a third-party vendor or partner
  • A Processor subcontracts data processing responsibilities following the written request from a Controller
  • Using a Cloud provider such as Amazon Web Services (AWS)

You do not need a DPA when working with professional groups bound to confidentiality, such as doctors, lawyers, tax consultants, and auditors.

Why are DPA’s important?

The brief answer is that Data Processing Addendums:

  • Reduce third-party risk for the Controller (your organisation), and
  • Ensure GDPR compliance on the behalf of the Controller

However, DPAs go beyond protecting the Controller’s legal interests under GDPR. DPAs act as a check and balance by compelling the Controller to observe due diligence when selecting a third-party vendor to process their personal data.

Due diligence requires the Controller to fully vet the Processor before onboarding begins, and DPAs formalise that process. DPAs also ensure that the Controller and Processor prioritise protecting the interests and privacy of the data subjects by documenting the agreement.

Where can I get help with a DPA?

Writing up a Data Processing Addendum can be a daunting task, specifically for small to medium-sized businesses.

DPAs should be personalised to suit the specific needs of your company. Formiti provides bespoke DPA writing services.

All global data protection regulations require third-party compliance and data processing agreements. Our Formiti Vendor360 takes the pressure off your resources and ensures compliance of both new and existing processing partners.

We cover multiple data regulations including EU GDPR, Thailand PDPA, China National Standard and South Africa POPIE.

Pop us a message to book your one-hour obligation-free consultation to see if Vendor360 is the right fit for you.