People often confuse the difference between a Data Processing Agreement vs a privacy policy. In this article, we will outline the main differences and well as to how a Data Processing Agreement is different from the Terms and Conditions or Terms of Service.
A Data Processing Agreement (DPA) which is sometimes also called a (Data Processing Addendum or Data Processing Terms) is an agreement between a Data Controller and a Data Processor. This agreement is generally different and separate from a company’s or website’s Terms and Conditions or Terms of Service and different from a Privacy Policy and Cookie Policy.
Terms and Conditions vs Data Processing Agreement
Terms and Conditions
Terms and Conditions normally outline things like:
- The rules you need to follow to access the service
- What is the service that will be given
- How much you will pay
- The liability in case something goes wrong etc…
Data Processing Agreement
A Data Processing Agreement is like the Terms of Service but outlines the rules for two companies sharing personal data, it outlines things like:
- What personal data will be shared
- Will this data leave the UK or European Economic Area
- Which security measures (also called technical and organisational measures) are in place to protect that data transfer
- What sub-processors (third parties) will also process the data when the service is being offered
- the liability in case something goes wrong
- the responsibilities of the controller
- the responsibilities of the processor
- Other important bits
Article 28 of the GDPR sets out the rules that processors must follow when processing information on behalf of their controllers.
Privacy Policy vs Data Processing Agreement
A Privacy Policy outlines mainly how you process personal data when you’re a Controller while a Data Processing Agreement in most cases (especially if you’re a SaaS) outlines how data is processed when a Processor offers a service or when there’s a transfer of personal data from one company to another.
Hotjar - SaaS Example
Hotjar - a popular analytics tool is a snippet of code that you can add to the Website of Company A to capture recordings of how a user uses that website with the objective of optimising it. In this scenario, Hotjar is a processor as it collects website usage data on behalf of Company A (the Controller).
The GDPR says that before Hotjar can start processing the information on behalf of Company A there must be written instructions on what can be done with that data - this agreement is called the Data Processing Agreement.
Moreover, Hotjar is a big company that also acts as a Controller in other situations for example when it has its own website visitors and processes information of its customers, employees and other people therefore its responsibility under the GDPR to also have a Privacy Policy disclosing how they process all this information.
Accountant - Service Provider Example
Accountants LTD do payroll for Company A. Given that it's Company A that is instructing Accountants LTD to run its payroll, the Accountants are acting as a Processor for Company A which is the Controller. In this situation, a Data Processing Agreement needs to be put in place prior to the data being transferred.
International Data Transfers
When creating a Data Processing Agreement, we need to check if for that service to be carried out, information will be sent outside of the European Economic Area (EEA), the United Kingdom (UK) or a country that has an adequacy status (AC). This is then defined as an International Data Transfer.
Note that the transfer may occur from the Controller (Company A) to the Processor (Hotjar) or the other way around.
In the case where one of the two companies is located outside of the EEA, UK or AC, then we have to check if we need to apply Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA).
Standard Contractual Clauses
The Standard Contractual Clauses (SCCs) are a set of clauses that need to be added to a Data Processing Agreement when information is being transferred outside of the European Economic Area. These clauses aim to give the data a similar level of security when they are outside of the European Union as when they are inside the European Union subject to the EU GDPR. For International Transfers there are four modules which need to be chosen depending on the relationship between the parties sending the data. You can learn more about this in our blog post here (coming soon).
UK International Data Transfer Agreement/Addendum
The UK International Data Transfer Agreement/Addendum also needs to be appended to your Data Processing Agreement if you are processing data from the UK outside of the UK, EEA or AC. There are two versions of these clauses one of which is an Agreement which needs to be added when data from the UK is transferred outside of the UK, EEA or AC but there are no Standard Contractual Clauses already appended and the Addendum which can be bolted on to the SCCs.
What to do if you're a SaaS?
If you are a SaaS that is processing personal data as part of the service that you offer your clients. It's very likely that you will be processing the information as a Data Processor and will require a Data Processing Agreement.
Data Processing Agreement Checklist
- We have established the roles in the DPA (is the sender a controller or processor, is the recipient a controller or processor).
- We have linked it to our terms of service agreement.
- We have defined the terms or duration of the processing of personal data.
- We have decided on our breach notification period.
- We have decided on our Sub-processor Notification Period.
- We have decided whether to include a liability cap or not and if so, added the cap amount.
- We have explained the governing law and jurisdiction of the Data Processing Agreement.
- We have explained the Data Protection Regulations which apply (UK GDPR, EU GDPR, CCPA, CPRA...).
- We have described the services that are related to the processing of personal data.
- We have explained the nature and purpose of processing.
- We have explained what personal data is going to be transferred.
- We have explained who are the individuals whose Personal Data is being transferred.
- We have indicated which transfer mechanisms we will be used if the data is being transferred outside of the EEA, UK or AC.
- We have explained the Security Measures (Technical and organisational measures) that will protect personal data.
- We have explained the sub-processors that we will use alongside the purpose for using them, the country where the data will reside and the sub-processor security measures (or technical and organisational measures).
- You have set out the controller obligations
- You have set out the processor obligations
You can find a Notion Template (downloadable and exportable to PDF) of the checklist here.
Data Processing Agreement Template
You can find a Data Processing Agreement template here.
How can Privasee help?
Privasee has a Data Processing Agreement and Security Measures module that can help you generate all the Data Processing Agreements that you may need and ensure they include the:
- Necessary clauses of a Data Processing Agreement
- Evaluate if you need Standard Contractual Clauses
- Evaluate if you need the UK International Data Transfer Agreement or Addendum
- Keep a list of sub-processors
- Help you identify the terms that are most friendly to you
- Keep your Data Processing Agreement up to date if anything changes in the legislation (for example complying with deadlines of the recent update to SCCs or the introduction of the requirement to add UK IDTAs)
- Keep your Data Processing Agreement up to date if anything changes in your company (you add new features, change the data you use to provide your service or add or remove tools and third parties used in your company)
Exceptions
Note: for simplicity in this article we have not explained the exceptions that apply for professions like Doctors, Lawyers, Accountants (when doing bookkeeping), Financial Advisors and other regulated professions that are likely to act as Independent Controllers and not Processors. We're more than happy to explain the differences via Live Chat though!
Note 2: in this blog post we have considered the most typical use-case for a Data Processing agreement between a Controller and a Processor, but a Data Processing Agreement may be required between a Controller and Processor, from Processor to Processor, from Processor back to the Controller or from an Independent Controller to another Independent Controller.
Related posts
Frequently asked questions
We never have access to any of your data, our platform is able to scan each tool and provide recommendations without needing to access any of the data within those tools. There's no need for your dev' team to do anything, there are no security risks, just tell us the tools you use and we will do the rest.
Our policies are not just about my website or service. Once set up, our platform will help you map-out internal and external processes, such as HR, finance, and more!
We recommend replacing your current policy with our policy, this way you’ll remain compliant as your business changes and as the laws update.
Setting up is easy, just follow the on-screen commands and go through a few short steps to add your tools. You don't need any technical ability, anything you don't know the answer to you can ask us via our live chat or add later.
A template will not be applicable to your particular business as there are many things to consider for each tool you use. Also the template will not automatically update when changes happen in your business and when changes to GDPR laws are released. This can leave you vulnerable to breaking GDPR laws.
We have a huge selection of tools pre-loaded and anything you don't see you can add directly from the platform as well as mapping data for any custom software you may use.
Our Essential Plan is perfect for people just getting started, small businesses, self-employed people and early stage companies. It allows you to get set up and start making your site GDPR compliant. You can move to our pro plan when you grow and your needs become more complex.
Our Pro Plan is aimed at SMEs and is our most popular plan as it includes everything you'll need such as a cookie banner, multiple languages as well as dedicated support.
Our Agency Plan is aimed at businesses that operate with clients needing GDPR solutions. The plan allows you to onboard clients as well as benefit from the Pro Plan for your own site.
Our Enterprise Plan is our most customisable and inclusive plan aimed at large, corporate businesses. We will essentially build you a bespoke plan with full maintenance support, onboarding classes and full company-wide access.
Feel free to get in touch to discuss our GDPR Compliance Software solution.
Signing up is super easy. The platform will ask you a few basic questions and then you can add your tools - don't worry if you don't know them all, you can come back and add tools at any point. The platform will then generate you the correct privacy policy based on your information, you can there share it directly on your site. That's it!
Privasee has a plan for smaller companies as well as larger enterprise companies. For companies small to medium you can signup directly. For bigger enterprise companies get in touch with your requirements and our team will build you a bespoke plan.
You have a legal responsibility to keep your policy up to date with every change in legal requirements for every tool you have. With Privasee you are always covered.