Data Processing Agreement (DPA): What you need to know

What is a DPA?

A Data Processing Agreement (DPA) is a legally binding contract between a data controller (the entity that determines how and why personal data is processed) and a data processor (the entity that processes data on behalf of the controller). This agreement outlines the rights and obligations of each party regarding the processing of personal data, ensuring that both parties understand their responsibilities under applicable data privacy laws.

For HR and hiring managers, DPAs are particularly important when working with external recruitment agencies, applicant tracking systems, background check providers, or any vendor that handles candidate or employee information. The agreement establishes clear boundaries for how these service providers can use the personal data you share with them.

What is the purpose of a DPA?

The primary purpose of a DPA is to ensure that personal data is processed lawfully, fairly, and transparently. It creates a framework of accountability and establishes clear responsibilities for both the data controller and processor.

A DPA serves legal compliance, risk management, trust building, and operational clarity purposes. These purposes are listed in detail below.

• Legal compliance: A DPA helps organizations meet their obligations under data protection regulations like GDPR, CCPA, and other privacy laws by documenting how personal data will be handled.

• Risk management: By clearly defining responsibilities and liabilities, a DPA helps mitigate risks associated with data breaches or non-compliance with privacy regulations.

• Trust building: Having a formal agreement demonstrates to clients, employees, and candidates that your organization takes data protection seriously, building confidence in your operations.

• Operational clarity: A DPA establishes clear guidelines for data handling, making it easier for both parties to understand their roles and responsibilities in the data processing relationship.

What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect in the European Union in May 2018. It sets strict requirements for organizations that collect, store, or process personal data of EU residents, regardless of where the organization is located.

GDPR explicitly requires a written agreement between controllers and processors in Article 28. This requirement has made DPAs a standard practice globally, even for organizations not directly subject to GDPR, as they establish best practices for data protection.

For HR professionals, GDPR has significant implications because employee and candidate data is considered personal data. When you use third-party services for recruitment, payroll processing, or benefits administration, you need a DPA to ensure these vendors handle personal data in compliance with GDPR requirements.

When do I need a DPA?

You need a DPA when using recruitment software, hiring external recruiters, conducting background checks, outsourcing payroll, implementing HR information systems, and engaging employee monitoring tools. These scenarios are listed in detail below.

• Using recruitment software: If you use an applicant tracking system (ATS) or other recruitment platforms that store candidate information, you need a DPA with the software provider.

• Hiring external recruiters: When working with recruitment agencies or headhunters who collect and process candidate data on your behalf, a DPA is necessary to protect that information.

• Conducting background checks: If you use third-party services to verify candidate credentials, criminal history, or employment history, these vendors are processing personal data and require a DPA.

• Outsourcing payroll: Payroll processors handle sensitive employee financial information, making a DPA essential for these relationships.

• Implementing HR information systems: Cloud-based HR platforms that store employee data require a DPA to ensure proper data handling.

• Engaging employee monitoring tools: If you use software to track employee productivity, a DPA is needed to ensure this monitoring is done legally and ethically.

The need for a DPA is not limited by company size or industry. Even small businesses must have DPAs in place if they use third-party services that process personal data. The determining factor is the nature of the data processing activity, not the scale of your organization.

What are the elements of a DPA?

A comprehensive DPA includes subject matter and duration, nature and purpose of processing, types of personal data, categories of data subjects, obligations and rights, security measures, confidentiality commitments, subprocessor management, data transfer provisions, and audit rights. These elements are listed in detail below.

• Subject matter and duration: Clear definition of what data processing activities are covered and how long the agreement will remain in effect.

• Nature and purpose of processing: Explicit description of how the processor will use the data and for what specific purposes.

• Types of personal data: Detailed listing of what categories of personal data will be processed (e.g., contact information, employment history, performance evaluations).

• Categories of data subjects: Identification of whose data is being processed (e.g., job applicants, employees, contractors).

• Obligations and rights: Outline of the controller's and processor's responsibilities, including how the processor will assist the controller in meeting its legal obligations.

• Security measures: Specific technical and organizational measures the processor will implement to protect the data from breaches or unauthorized access.

• Confidentiality commitments: Assurances that the processor's staff who access the data are bound by confidentiality obligations.

• Subprocessor management: Procedures for appointing and overseeing subprocessors who may handle the data.

• Data transfer provisions: Rules governing how data can be transferred internationally, especially to countries without adequate data protection laws.

• Audit rights: The controller's right to verify the processor's compliance with the agreement through inspections or audits.

For HR and hiring managers, pay particular attention to the security measures and subprocessor management sections. These elements directly impact how securely candidate and employee data will be handled throughout the recruitment and employment lifecycle.

How to create a DPA?

Creating a DPA requires careful consideration of your data processing needs and compliance requirements. While many organizations use templates as starting points, it's important to customize the agreement to reflect your specific circumstances.

The process includes identifying processing activities, determining applicable laws, drafting or adapting a template, negotiating terms, legal review, and implementation monitoring. These steps are listed in detail below.

• Identifying processing activities: Begin by mapping out exactly what personal data will be shared with the processor and how they will use it in their services.

• Determining applicable laws: Identify which data protection regulations apply based on your location, the processor's location, and the location of the data subjects.

• Drafting or adapting a template: Either create a DPA from scratch or modify an existing template to address your specific needs and compliance requirements.

• Negotiating terms: Work with the processor to agree on all terms, paying special attention to security measures, breach notification procedures, and liability provisions.

• Legal review: Have the agreement reviewed by legal counsel with expertise in data protection to ensure it meets all regulatory requirements.

• Implementation monitoring: After signing, establish processes to verify that both parties are adhering to the terms of the agreement.

Many industry associations and data protection authorities offer DPA templates that can serve as starting points. However, these should always be customized to reflect the specific nature of your data processing relationship and the applicable legal requirements in your jurisdiction.

Signing a DPA as a customer (controller)

As a data controller (the organization that determines how and why personal data is processed), you have specific responsibilities when entering into a DPA with a service provider. Understanding these responsibilities is crucial for maintaining compliance and protecting your organization.

When reviewing a DPA provided by a vendor, pay close attention to how they handle data security, breach notifications, and their use of subprocessors. Many vendors, especially larger technology companies, offer standard DPAs that may not be negotiable. In these cases, you'll need to evaluate whether their terms meet your compliance requirements.

When signing as a controller, focus on vendor assessment, template evaluation, compliance verification, negotiation priorities, documentation, and ongoing monitoring. These considerations are listed in detail below.

• Vendor assessment: Before signing, conduct due diligence on the vendor's data security practices and compliance history to ensure they can meet their obligations under the DPA.

• Template evaluation: Review the vendor's standard DPA carefully to identify any gaps or provisions that don't align with your data protection policies.

• Compliance verification: Ensure the DPA meets all requirements of applicable data protection laws, particularly if you're subject to multiple regulations.

• Negotiation priorities: Identify which terms are most important to your organization (such as breach notification timelines or audit rights) and focus your negotiation efforts on these areas.

• Documentation: Maintain records of the signed DPA and any supporting documentation about the vendor's compliance measures.

• Ongoing monitoring: Establish processes to periodically review the vendor's compliance with the DPA, including any required security certifications or audit reports.

For HR and hiring managers, it's particularly important to verify that your ATS providers, background check services, and other HR technology vendors have appropriate DPAs in place. These systems often contain sensitive candidate and employee information that requires robust protection.

Creating a DPA as a service provider (processor)

If your organization processes personal data on behalf of other businesses, you'll need to provide a DPA to your clients. As a processor, your DPA should clearly outline how you protect personal data and fulfill your obligations under relevant data protection laws.

For HR technology providers, recruitment agencies, and other service providers in the talent acquisition space, having a well-crafted DPA is increasingly becoming a competitive advantage. Clients are more likely to choose vendors who demonstrate strong data protection practices.

When creating a DPA as a processor, focus on template development, transparency about security measures, clear subprocessor policies, reasonable compliance assistance, flexible international transfer provisions, and straightforward breach notification procedures. These practices are listed in detail below.

• Template development: Create a standard DPA template that addresses all regulatory requirements while reflecting your specific data processing activities and security measures.

• Transparency about security measures: Clearly document your technical and organizational security measures to build trust with potential clients.

• Clear subprocessor policies: If you use other vendors to help deliver your services, be transparent about how you select, oversee, and take responsibility for these subprocessors.

• Reasonable compliance assistance: Outline how you'll help clients meet their obligations for data subject requests, impact assessments, and other compliance requirements.

• Flexible international transfer provisions: Include mechanisms for lawful international data transfers that can adapt to changing regulatory landscapes.

• Straightforward breach notification procedures: Define clear timelines and processes for notifying clients in the event of a data breach.

Many processors find it beneficial to have their DPA reviewed by a data protection specialist or certified privacy professional. This helps ensure the agreement is both legally compliant and commercially reasonable, striking the right balance between protection and practicality.

What happens if you don't sign a DPA?

Failing to implement appropriate DPAs with your service providers can have serious consequences, both legal and reputational. Under regulations like GDPR, having a DPA is not optional—it's a legal requirement when personal data is processed by a third party.

Operating without a DPA can result in regulatory penalties, legal liability, reputational damage, business relationship complications, and operational uncertainty. These consequences are listed in detail below.

• Regulatory penalties: Data protection authorities can impose significant fines for non-compliance with DPA requirements. Under GDPR, these fines can reach up to 4% of global annual revenue or €20 million, whichever is higher.

• Legal liability: Without a DPA clarifying responsibilities, your organization may face increased liability in the event of a data breach or compliance failure.

• Reputational damage: Candidates and employees expect their personal data to be protected. Failures in this area can damage your employer brand and make recruitment more difficult.

• Business relationship complications: Many organizations now require DPAs as part of their vendor management process. Without one, you may lose business opportunities or partnerships.

• Operational uncertainty: Without clear guidelines on data handling, there may be confusion about responsibilities and processes, leading to inconsistent practices and potential security gaps.