What is Data Processing Agreement?

Table of Contents

Get Your
Irish Company
Today

From €99 including government fees.

✓ 5-day setup

✓ Government fees included

✓ Legal documents included

✓ Free automated compliance tracking

✓ Free legal data room

✓ Ongoing legal support

Pricing

What is a Data Processing Agreement?

‍A Data Processing Agreement (DPA) is a legally binding contract required under the General Data Protection Regulation (GDPR) between a data controller and a data processor. It governs how personal data is handled when one organisation processes data on behalf of another. For Irish companies, this agreement is not optional. Every time you share personal data with a third-party service provider, such as a cloud hosting platform, payroll company, or marketing tool, a DPA must be in place.

‍The DPA exists to protect the rights of individuals whose personal data is being processed. It ensures that the processor follows the controller's instructions, implements appropriate security measures, and only uses the data for the purposes specified in the agreement. Without a valid DPA, both parties risk significant fines from the Data Protection Commission (DPC), Ireland's supervisory authority for GDPR enforcement.

Why do Irish companies need a Data Processing Agreement?

‍GDPR Article 28 makes it a legal requirement for controllers to have a written contract with every processor that handles personal data on their behalf. This applies to businesses of all sizes, from sole traders to large enterprises. The requirement reflects the reality that most modern businesses rely on third-party tools and services that inevitably involve the processing of customer, employee, or supplier data.

‍For Irish startups, the need for DPAs often becomes apparent early. If you use an email marketing platform, a customer relationship management system, an accounting tool, or even a cloud storage provider, each of these services processes personal data on your behalf. A DPA with each provider ensures that your company meets its GDPR obligations and that your customers' data is handled responsibly.

What must a Data Processing Agreement include?

‍A compliant DPA must include several mandatory elements. It must specify the subject matter and duration of the processing, the nature and purpose of the processing, the types of personal data involved, and the categories of data subjects. It must also clearly state that the processor will only act on documented instructions from the controller.

‍The agreement must require the processor to implement appropriate technical and organisational security measures, ensure that staff with access to data are bound by confidentiality obligations, assist the controller in responding to data subject access requests, and notify the controller of any data breach without undue delay.

‍Additionally, the DPA must address the use of sub-processors. If the processor engages another company to help with the processing, this must be authorised by the controller and covered by equivalent contractual protections. The DPA should also include provisions for data deletion or return at the end of the contract, and grant the controller the right to audit the processor's compliance.

How does a DPA relate to other business contracts?

‍A DPA often sits alongside other commercial agreements. For example, if you engage a consultancy agreement with a technology provider, the DPA covers the data protection aspects of that relationship while the consultancy agreement covers the commercial terms. The two documents work together to provide complete legal coverage.

‍Risk allocation in a DPA often mirrors provisions found in broader commercial agreements, such as a limitation of liability clause or an indemnity clause. These provisions determine who bears the financial burden if a data breach occurs or if the DPC imposes a fine. For startups, negotiating these terms carefully is essential to avoid disproportionate exposure.

Where would I first see Data Processing Agreement?

You will most likely encounter a Data Processing Agreement when signing up for a SaaS tool that handles your customer data, or when a client asks you to sign one before sharing their users

What are the penalties for not having a DPA?

‍Failure to have a valid DPA in place is a direct breach of GDPR Article 28 and can result in administrative fines of up to €10 million or 2% of annual global turnover, whichever is higher. The Data Protection Commission has the power to investigate complaints, conduct audits, and impose corrective measures on non-compliant organisations.

‍Beyond fines, the absence of a DPA creates significant reputational risk. Data breaches involving third-party processors are common, and without a DPA, your company has no contractual basis to hold the processor accountable. This can result in your business bearing the full cost of breach notification, remediation, and any claims from affected individuals.

How should Irish startups manage their DPAs?

‍Start by creating a register of all third-party services that process personal data on your behalf. For each service, check whether a DPA is already in place. Many large SaaS providers include standard DPAs in their terms of service, but these should be reviewed carefully to ensure they meet GDPR requirements and adequately protect your interests.

‍For bespoke arrangements, such as custom software development or data analytics services, you may need to negotiate a tailored DPA. This is where legal advice can be particularly valuable. Consider including conditions precedent that require the processor to demonstrate compliance with specific security standards before processing begins.

‍Directors have a responsibility under their director's duties to ensure the company manages data protection risks appropriately. This includes overseeing the company's DPA programme and ensuring that adequate resources are allocated to GDPR compliance. For early-stage companies, building good data protection habits from day one is far easier than retrofitting compliance later.

What about international data transfers?

‍If your data processor is based outside the European Economic Area (EEA), additional safeguards must be included in the DPA. GDPR restricts the transfer of personal data to countries that do not provide an adequate level of data protection. The most common mechanism for enabling lawful transfers is the use of Standard Contractual Clauses (SCCs) approved by the European Commission.

‍For Irish companies using US-based cloud services, the EU-US Data Privacy Framework provides a pathway for lawful transfers, but only where the US provider has self-certified under the framework. Your DPA should clearly state the legal basis for any international transfers and include provisions for what happens if that legal basis is invalidated.

Can a DPA include arbitration for disputes?

‍Yes, a DPA can include a dispute resolution clause that specifies arbitration as the preferred method for resolving disagreements. This is particularly useful for cross-border processing arrangements where court proceedings in multiple jurisdictions could be impractical and expensive. Including an arbitration clause ensures that disputes are resolved efficiently and privately.

‍However, it is important to note that the rights of data subjects under GDPR cannot be limited by contractual dispute resolution clauses. Individuals always retain the right to lodge complaints with the Data Protection Commission and to seek judicial remedy in court. The arbitration clause in a DPA applies to disputes between the controller and processor, not between the company and the individuals whose data is being processed.

Data Processing Agreement

Get Your Irish Company Today