By
Alex Franch
March 8, 2023
People often confuse the difference between a Data Processing Agreement vs a privacy policy. In this article, we will outline the main differences and well as to how a Data Processing Agreement is different from the Terms and Conditions or Terms of Service.
A Data Processing Agreement (DPA) which is sometimes also called a (Data Processing Addendum or Data Processing Terms) is an agreement between a Data Controller and a Data Processor. This agreement is generally different and separate from a company’s or website’s Terms and Conditions or Terms of Service and different from a Privacy Policy and Cookie Policy.
Terms and Conditions normally outline things like:
A Data Processing Agreement is like the Terms of Service but outlines the rules for two companies sharing personal data, it outlines things like:
Article 28 of the GDPR sets out the rules that processors must follow when processing information on behalf of their controllers.
A Privacy Policy outlines mainly how you process personal data when you’re a Controller while a Data Processing Agreement in most cases (especially if you’re a SaaS) outlines how data is processed when a Processor offers a service or when there’s a transfer of personal data from one company to another.
Hotjar - a popular analytics tool is a snippet of code that you can add to the Website of Company A to capture recordings of how a user uses that website with the objective of optimising it. In this scenario, Hotjar is a processor as it collects website usage data on behalf of Company A (the Controller).
The GDPR says that before Hotjar can start processing the information on behalf of Company A there must be written instructions on what can be done with that data - this agreement is called the Data Processing Agreement.
Moreover, Hotjar is a big company that also acts as a Controller in other situations for example when it has its own website visitors and processes information of its customers, employees and other people therefore its responsibility under the GDPR to also have a Privacy Policy disclosing how they process all this information.
Accountants LTD do payroll for Company A. Given that it's Company A that is instructing Accountants LTD to run its payroll, the Accountants are acting as a Processor for Company A which is the Controller. In this situation, a Data Processing Agreement needs to be put in place prior to the data being transferred.
When creating a Data Processing Agreement, we need to check if for that service to be carried out information will be sent outside of the European Economic Area (EEA), the United Kingdom (UK) or a country that has an adequacy status (AC).
Note that the transfer may occur from the Controller (Company A) to the Processor (Hotjar) or the other way around.
In the case where one of the two companies is located outside of the EEA, UK or AC, then we have to check if we need to apply Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement/Addendum (UK IDTA).
The Standard Contractual Clauses (SCCs) are a set of clauses that need to be added to a Data Processing Agreement when information is being transferred outside of the European Economic Area. These clauses aim to give the data a similar level of security when they are outside of the European Union as when they are inside the European Union subject to the EU GDPR. For International Transfers there are four modules which need to be chosen depending on the relationship between the parties sending the data. You can learn more about this in our blog post here (coming soon).
The UK International Data Transfer Agreement/Addendum also needs to be appended to your Data Processing Agreement if you are processing data from the UK outside of the UK, EEA or AC. There are two versions of these clauses one of which is an Agreement which needs to be added when data from the UK is transferred outside of the UK, EEA or AC but there are no Standard Contractual Clauses already appended and the Addendum which can be bolted on to the SCCs.
If you are a SaaS that is processing personal data as part of the service that you offer your clients. It's very likely that you will be processing the information as a Data Processor and will require a Data Processing Agreement.
You can find a Notion Template (downloadable and exportable to PDF) of the checklist here.
You can find a Data Processing Agreement template here.
Privasee has a Data Processing Agreement and Security Measures module that can help you generate all the Data Processing Agreements that you may need and ensure they include the:
Note: for simplicity in this article we have not explained the exceptions that apply for professions like Doctors, Lawyers, Accountants (when doing bookkeeping), Financial Advisors and other regulated professions that are likely to act as Independent Controllers and not Processors. We're more than happy to explain the differences via Live Chat though!
Note 2: in this blog post we have considered the most typical use-case for a Data Processing agreement between a Controller and a Processor, but a Data Processing Agreement may be required between a Controller and Processor, from Processor to Processor, from Processor back to the Controller or from an Independent Controller to another Independent Controller.
Ensure your policies are always up to date with Privasee, an AI powered GDPR compliance solution that does it all.