2.1 Understanding Data Processing Agreements
A Data Processing Agreement (DPA) is a legally binding contract between a Data Fiduciary (Controller) and a Data Processor that governs how personal data will be processed. It is mandatory under both DPDPA 2023 and GDPR when engaging third parties to process personal data.
When is a DPA Required?
A DPA is required whenever personal data is shared with a third party for processing on behalf of the organization. Common scenarios include:
- Cloud Services: AWS, Azure, Google Cloud hosting customer data
- SaaS Platforms: CRM, HRMS, marketing automation tools
- IT Service Providers: Managed services, help desk, backup providers
- Payroll Processors: Third-party payroll and benefits administration
- Marketing Agencies: Email marketing, customer analytics providers
- Call Centers: Customer service outsourcing handling customer data
DPDPA 2023 Requirement
Section 8(2) of DPDPA mandates that Data Fiduciaries may engage Data Processors only under a valid contract. The processor must process data only for purposes authorized by the Fiduciary and implement appropriate security safeguards. Failure to have proper DPAs can result in penalties up to Rs. 250 Crore.
Controller vs. Processor: Key Distinction
| Aspect | Data Fiduciary (Controller) | Data Processor |
|---|---|---|
| Determination | Determines purposes and means | Processes on instructions only |
| Liability | Primary liability to Data Principals | Liability for unauthorized processing |
| Notice Obligation | Must provide privacy notice | No direct notice obligation |
| DPDPA Registration | SDF registration may be required | No registration requirement |
| Rights Requests | Must respond to Data Principals | Must assist Controller |
Common Error
Many organizations misclassify relationships. A vendor that makes independent decisions about data use is a Controller, not a Processor, and needs a data sharing agreement instead of a DPA. Misclassification creates compliance gaps and liability exposure.
2.2 DPDPA Requirements for DPAs
DPDPA 2023 establishes specific requirements for the relationship between Data Fiduciaries and Data Processors. Understanding these requirements is essential for drafting compliant DPAs.
Mandatory DPA Elements Under DPDPA
- Processing Scope: Clear specification of personal data categories and processing purposes authorized by the Fiduciary
- Instruction Compliance: Processor obligation to act only on documented instructions from the Fiduciary
- Security Safeguards: Implementation of reasonable security practices per Section 8(4)
- Breach Notification: Obligation to notify Fiduciary of any personal data breach
- Sub-processor Controls: Requirements for engaging sub-processors
- Data Return/Deletion: Obligations upon termination of the relationship
- Audit Rights: Fiduciary's right to audit processor compliance
Security Safeguards Requirement
Section 8(4) of DPDPA requires Data Processors to protect personal data by implementing reasonable security safeguards to prevent breaches. The DPA must specify:
- Technical Measures: Encryption, access controls, intrusion detection
- Organizational Measures: Policies, training, background checks
- Physical Measures: Facility security, device management
- Incident Response: Breach detection and notification procedures
DPDPA-Compliant DPA Clause: Security Safeguards
SECURITY OBLIGATIONS
1. The Processor shall implement and maintain reasonable security
safeguards to protect Personal Data against breach, including:
a) Technical Measures:
- Encryption of Personal Data at rest (AES-256 or equivalent)
- Encryption of Personal Data in transit (TLS 1.2+)
- Multi-factor authentication for system access
- Logical access controls based on principle of least privilege
- Intrusion detection and prevention systems
- Regular vulnerability assessments and penetration testing
b) Organizational Measures:
- Information security policies and procedures
- Employee training on data protection
- Background verification for personnel handling Personal Data
- Confidentiality agreements with all personnel
- Designated security officer responsible for compliance
c) Physical Measures:
- Physical access controls to data processing facilities
- Environmental controls (fire suppression, climate control)
- Secure disposal of physical media containing Personal Data
2. The Processor shall maintain certification under [ISO 27001 /
SOC 2 Type II / equivalent] throughout the Term.
3. The Processor shall conduct annual security assessments and
provide summary reports to the Fiduciary upon request.
2.3 GDPR and Standard Contractual Clauses
When processing involves EU personal data or cross-border transfers, GDPR Article 28 requirements and Standard Contractual Clauses (SCCs) become relevant. Indian companies serving EU customers or with EU subsidiaries must integrate these requirements.
GDPR Article 28 Requirements
Article 28 mandates that processing by a processor shall be governed by a contract setting out:
- Subject Matter and Duration: What data, for what purposes, for how long
- Nature and Purpose: Type of processing operations performed
- Data Categories: Types of personal data processed
- Data Subject Categories: Whose data is being processed
- Controller Rights and Obligations: Documented instructions requirement
Standard Contractual Clauses (SCCs)
The European Commission's 2021 SCCs are modular clauses for international data transfers. Module Two (Controller to Processor) is most common for DPAs.
SCC Modules
Module 1: Controller to Controller | Module 2: Controller to Processor | Module 3: Processor to Processor | Module 4: Processor to Controller. Most DPAs use Module 2 where an EU controller engages a non-EU processor.
Integrating SCCs into DPAs
SCC Integration Clause
CROSS-BORDER TRANSFER MECHANISM
1. Applicability: This Section applies where Personal Data
originating from the European Economic Area ("EEA"), United Kingdom,
or Switzerland is transferred to the Processor in [India/other country].
2. Transfer Mechanism: Such transfers shall be governed by the
Standard Contractual Clauses adopted by European Commission Decision
2021/914 ("SCCs"), Module Two (Controller to Processor), which are
incorporated herein by reference and attached as Annex [X].
3. SCC Annexes: The following information is incorporated into
the SCCs:
Annex I.A - List of Parties:
Data Exporter: [Controller name, address, contact, activities]
Data Importer: [Processor name, address, contact, activities]
Annex I.B - Description of Transfer:
Categories of Data Subjects: [Customers, employees, etc.]
Categories of Personal Data: [Contact details, transaction data, etc.]
Sensitive Data: [If applicable, with specific safeguards]
Frequency of Transfer: [Continuous/batch/ad hoc]
Nature of Processing: [Storage, analysis, customer support, etc.]
Purpose: [Service delivery, as specified in main agreement]
Retention Period: [Duration of services + X months]
Annex I.C - Competent Supervisory Authority:
[Relevant EU DPA based on Controller establishment]
Annex II - Technical and Organizational Measures:
[Reference to Security Schedule or detailed TOMs]
4. Conflict: In case of conflict between this DPA and the SCCs,
the SCCs shall prevail to the extent of such conflict.
5. Supplementary Measures: The Processor shall implement the
supplementary measures specified in Annex [Y] to address any gaps
identified in the Transfer Impact Assessment.
2.4 Essential DPA Clauses
Beyond regulatory minimums, effective DPAs include detailed operational clauses that address real-world scenarios and potential disputes.
Sub-Processor Management
Sub-Processor Clause
SUB-PROCESSORS
1. Authorization: The Processor shall not engage any Sub-processor
without prior [specific written / general written] authorization
from the Fiduciary.
2. General Authorization: The Fiduciary provides general
authorization for the Sub-processors listed in Schedule [X]
("Approved Sub-processor List") as of the Effective Date.
3. New Sub-processors: The Processor shall notify the Fiduciary
at least [30/45/60] days before engaging any new Sub-processor.
The notice shall include:
- Sub-processor identity and location
- Processing activities to be performed
- Security certifications held
- Data categories to be processed
4. Objection Right: The Fiduciary may object to a new
Sub-processor within [15/30] days of notice by providing
reasonable grounds. If objection is raised:
a) Parties shall negotiate in good faith to resolve concerns
b) If unresolved within [30] days, Fiduciary may terminate
the affected Services without penalty
5. Flow-Down: The Processor shall impose data protection
obligations on Sub-processors no less protective than this DPA.
The Processor remains fully liable for Sub-processor acts/omissions.
6. Due Diligence: Before engaging any Sub-processor, the
Processor shall conduct due diligence on the Sub-processor's
ability to meet security and compliance requirements.
Breach Notification
Breach Notification Clause
PERSONAL DATA BREACH NOTIFICATION
1. Definition: "Personal Data Breach" means any breach of
security leading to accidental or unlawful destruction, loss,
alteration, unauthorized disclosure of, or access to, Personal
Data transmitted, stored, or otherwise processed.
2. Notification Timeline: The Processor shall notify the
Fiduciary of any Personal Data Breach without undue delay and
in any event within [24/48/72] hours of becoming aware.
3. Notification Content: The notification shall include:
a) Description of the nature of the breach
b) Categories and approximate number of Data Principals affected
c) Categories and approximate number of records concerned
d) Name and contact details of Processor's point of contact
e) Likely consequences of the breach
f) Measures taken or proposed to address the breach
g) Measures to mitigate possible adverse effects
4. Ongoing Updates: If complete information is not available
at initial notification, Processor shall provide information in
phases as it becomes available, with updates at least every
[24] hours until investigation is complete.
5. Cooperation: The Processor shall:
a) Cooperate with the Fiduciary's investigation
b) Preserve evidence and maintain chain of custody
c) Not communicate with regulators or affected individuals
without Fiduciary's prior approval (except as legally required)
d) Provide reasonable assistance with regulatory notifications
6. Remediation: The Processor shall implement appropriate
measures to remediate the breach and prevent recurrence, subject
to Fiduciary approval for measures affecting Services.
Data Return and Deletion
Data Return/Deletion Clause
DATA RETURN AND DELETION
1. Upon Termination: Within [30/60/90] days following
termination or expiration of the Agreement, the Processor shall,
at Fiduciary's election:
a) Return all Personal Data to the Fiduciary in a structured,
commonly used, machine-readable format; and/or
b) Securely delete all Personal Data and certify such deletion
2. Deletion Standard: Deletion shall be performed using
industry-standard secure deletion methods that render Personal
Data unrecoverable, including:
- Cryptographic erasure for encrypted data
- Multi-pass overwrite for magnetic media
- Physical destruction for non-reusable media
3. Certification: The Processor shall provide written
certification signed by an authorized officer confirming:
- All Personal Data has been deleted
- Deletion was performed per specified standards
- No copies retained except as specified below
4. Retention Exception: The Processor may retain Personal Data
only to the extent required by applicable law, provided:
a) Processor notifies Fiduciary of the retention requirement
b) Retention is limited to the legally required scope and duration
c) Confidentiality and security obligations continue to apply
d) Upon expiry of retention period, data is deleted per above
5. Sub-processor Deletion: The Processor shall ensure all
Sub-processors delete Personal Data within the same timeframe
and provide consolidated certification.
Negotiation Tip
Processors often push back on short breach notification timelines. A compromise is tiered notification: immediate notification of suspected breach (24 hours), with detailed information within 72 hours. This balances the Controller's need for speed with the Processor's need to investigate.
2.5 DPA Drafting Best Practices
Negotiation Strategy
- Start with Your Template: Always negotiate from your DPA template rather than the vendor's to maintain favorable terms
- Prioritize Non-Negotiables: Identify 3-5 clauses that cannot be compromised (breach notification, audit rights, liability)
- Build in Flexibility: Use reasonableness standards and mutual agreement provisions for operational clauses
- Address Cloud-Specific Issues: Multi-tenancy, data location, shared responsibility models
- Future-Proof: Include change of law provisions and mechanism for updating security standards
Common Negotiation Pitfalls
- Accepting Limitation of Liability: Processors often cap liability at fees paid; push for carve-outs for data breaches and indemnification for regulatory fines
- Waiving Audit Rights: Accept third-party audit reports (SOC 2) as alternative, but retain right to audit for cause
- Vague Sub-processor Language: Ensure specific notification and objection rights, not just "reasonable efforts"
- One-Sided Termination: Ensure you can terminate for material breach with reasonable cure period
"The best DPA is one that neither party hopes to enforce -- because clear terms prevent disputes. Draft for the relationship, not the litigation." Adv. (Dr.) Prashant Mali
Part 2 Assessment
Test your understanding of Data Processing Agreements
Question 1 of 10
Under DPDPA Section 8, what is the maximum penalty for a Data Fiduciary that engages a Data Processor without a valid contract?
Explanation
Under DPDPA 2023, failure to take reasonable security safeguards (which includes having proper contracts with processors) can attract penalties up to Rs. 250 Crore. The lack of a valid DPA is treated as a failure of the Fiduciary's security obligations.