Data Processing Agreementswith expert lawyers

A Data Processing Agreement (DPA) is a legally binding contract between a data controller, which collects and manages personal data, and a data processor, which handles data on the controller’s behalf. It sets out how personal data will be processed, stored and protected, helping support compliance with Australian privacy laws.

In Australia, organisations that collect personal information and engage third parties to process that data, such as for storage, analytics or customer support, are responsible for ensuring the data is handled securely and lawfully. A DPA formalises this relationship and helps organisations comply with the Privacy Act 1988 and the Australian Privacy Principles (APPs), which require protections around the collection, storage and transfer of personal data.

The main purpose of a DPA is to set clear terms for data processing activities so both the controller and processor understand their responsibilities for protecting privacy and data security.

A Data Processing Agreement (DPA) and a Privacy Policy serve different but complementary purposes in privacy and data protection.

1. Data Processing Agreement (DPA)
   • A DPA is a contract between a data controller, which decides how personal data will be used, and a data processor, which processes data on the controller’s behalf.
   • It sets out the terms and obligations for handling, storing and securing personal data, as well as compliance responsibilities.
   • It governs the relationship between the parties directly involved in processing data, such as a business and its third-party service provider.
   • Its main purpose is to create clear, enforceable standards for data handling and protection between those parties. It is not a public document.
2. Privacy Policy
   • A Privacy Policy is a public-facing document that explains how an organisation collects, uses, stores and protects personal data.
   • It tells individuals, such as customers, clients and website visitors, what data is collected, why it is collected, how it is used, and how they can contact the organisation about privacy matters.
   • Its purpose is to promote transparency and help individuals make informed decisions about sharing their information.
   • A Privacy Policy is often a legal requirement under privacy laws such as the Privacy Act 1988, and is usually published on a website or otherwise made readily available.

In short, a DPA is an internal contract that governs the relationship between parties involved in data processing, while a Privacy Policy is a public document that explains an organisation’s data handling practices to individuals.

In Australia, a Data Processing Agreement (DPA) is important for any business that collects, manages or shares personal data with third-party providers.

1. Compliance with privacy laws
   • The Privacy Act 1988 and the Australian Privacy Principles (APPs) set requirements for how personal data is collected, stored and shared. A DPA helps by clearly setting out how data will be processed, which can reduce the risk of non-compliance and potential penalties.
2. Clarity and accountability
   • A DPA sets out each party's roles and responsibilities for handling data. This helps avoid misunderstandings, supports secure processing and reduces the risk of data breaches.
3. Managing legal risk
   • If there is a data breach or privacy complaint, a well-drafted DPA can help show that both parties took reasonable steps to protect data and comply with privacy laws. This may help limit liability and reduce legal risk.
4. Building trust with clients and customers
   • With growing concerns about data privacy, having a DPA in place shows that your business takes data security seriously. This can strengthen relationships and support your reputation.

In short, a DPA helps with compliance, transparency and risk management. It provides a clear framework for handling data and can help your business meet its legal obligations when sharing sensitive information with third parties.

A Data Processing Agreement (DPA) usually includes a number of key terms to help ensure personal data is handled securely, responsibly and in line with data protection laws.

1. Purpose and scope of data processing
   • A clear description of why and how the data will be processed, including the services the processor will provide and the categories of personal data involved.
2. Roles and responsibilities
   • Identification of the data controller and the data processor, and each party's obligations for data protection, storage and access.
3. Data security measures
   • Details of the safeguards the processor will use to protect personal data from unauthorised access, breaches or loss. This may include encryption, access controls and secure storage.
4. Data retention and deletion policies
   • Terms covering how long data will be kept and how it will be securely deleted or returned once processing is complete or the contract ends.
5. Sub-processor management
   • If third-party sub-processors are involved, the agreement should explain how they will be assessed, monitored and required to meet the same data protection standards. The controller will often have the right to approve or reject sub-processors.
6. Data breach notification protocols
   • Procedures for notifying the controller of any data breach or security incident. This can be important for legal compliance and for reducing the impact of a breach.
7. Audit rights and monitoring
   • Terms allowing the data controller to audit or review the data processor's practices to check compliance. This may include on-site inspections or document reviews.
8. Cross-border data transfers
   • If data will be transferred outside Australia, the DPA should address cross-border transfer requirements so international processing complies with Australian law and any other applicable privacy rules.
9. Liability and indemnity
   • Clauses dealing with each party's liability for data breaches or non-compliance, and any indemnity arrangements. These terms help define legal and financial responsibility if data is mishandled.
10. Termination and data handling on termination
    • Details about how data will be handled when the agreement ends, including secure deletion or return of the data.

Together, these terms create a framework for secure and compliant data processing. A well-drafted DPA helps both parties understand their responsibilities, reduce legal risk and protect the privacy of individuals whose data is being processed.

Yes, it’s best practice to have a separate Data Processing Agreement (DPA) with each data processor your organisation engages.

Here’s why:

1. Tailored compliance and risk management
   • Each data processor may have a different role, service, or level of access to personal data. A DPA tailored to each provider can help address specific risks and support compliance with privacy regulations. For example, a DPA with a cloud storage provider may focus more on data security and access controls, while a DPA with a marketing agency may focus more on data minimisation and purpose limitations.
2. Different security and data handling practices
   • Processors may use different methods to secure and manage data. Separate DPAs let you set out the security and data handling requirements that apply to each processor based on their role and access to sensitive information.
3. Clear legal obligations
   • A separate DPA for each processor helps clearly define that processor’s legal responsibilities and obligations. This can reduce misunderstandings and gaps in compliance, and make it easier to monitor and enforce the terms that apply to their services.
4. More efficient audits and monitoring
   • Individual DPAs can make audits and compliance checks easier by allowing each processor to be assessed on its own. This is especially important where one processor may need closer scrutiny because of the type of data it handles or its risk profile.
5. Stronger legal protection
   • If a data breach or privacy complaint arises, having a separate DPA with each processor can help show that your organisation took reasonable steps to support compliance and protect personal data. This may reduce legal exposure if a processor fails to meet its obligations.

In summary, while it may seem convenient to use one template DPA for multiple processors, having a separate DPA for each data processor can help your organisation manage different data handling requirements more effectively.

Our package starts from $500 + GST. It includes drafting a Data Processing Agreement to suit your business' requirements, phone consultations with a Sprintlaw lawyer who can advise you on the relevant legal issues, and one complimentary amendment to the final draft we provide.

We handle everything by phone, email and video call, so you never need to visit an office. Once you request a quote, one of our legally trained consultants will get back to you within one business day with a fixed-fee proposal. If you accept, we will pair you with a specialist lawyer who will guide you through the process. All documents are delivered digitally, and you can communicate with your lawyer in the way that suits you best. It is the same quality legal advice you would get from a traditional firm, just without the commute, hourly billing surprises or the formality.

Our law firm operates completely online, which means we can help you wherever you are in Australia. We work from The Commons Central, a co-working space in Chippendale, Sydney, but our lawyers also work flexibly across various locations.