Skip to main content
All CollectionsCompliance
[Checklist] Data Processing Agreement
[Checklist] Data Processing Agreement
Alex Franch Tapia avatar
Written by Alex Franch Tapia
Updated over 3 months ago

👋 This is a resource is built and maintained by Privasee. For more context please see the full blog post here.

Checklist

Use this checklist to make sure that your Data Processing Agreement has all of the listed below:

⬜ We have established the roles in the DPA (is the sender a controller or processor, is the recipient a controller or processor).

⬜ We have linked it to our terms of service agreement.

⬜ We have defined the terms or duration of the processing of personal data.

⬜ We have decided on our breach notification period.

We have decided on our [Sub-processor Notification Period.

⬜ We have decided whether to include a liability cap or not and if so, added the cap amount.

⬜ We have explained the governing law and jurisdiction of the Data Processing Agreement.

⬜ We have explained the Data Protection Regulations which apply (UK GDPR, EU GDPR, CCPA, CPRA...).

⬜ We have described the services that are related to the processing of personal data.

⬜ We have explained the nature and purpose of processing.

⬜ We have explained what personal data is going to be transferred.

⬜ We have explained who are the individuals whose Personal Data is being transferred.

⬜ We have indicated which transfer mechanisms we will be used if the data is being transferred outside of the EEA, UK or AC.

⬜ We have explained the Security Measures (Technical and organisational measures) that will protect personal data.

⬜ We have explained the sub-processors that we will use alongside the purpose for using them, the country where the data will reside and the sub-processor security measures (or technical and organisational measures).

⬜ You have set out the controller obligations

⬜ You have set out the processor obligations

How can Privasee help?

Privasee has a Data Processing Agreement and Security Measures module that can help you generate all the Data Processing Agreements that you may need and ensure they include the:

  • Necessary clauses of a Data Processing Agreement

  • Evaluate if you need Standard Contractual Clauses

  • Evaluate if you need the UK International Data Transfer Agreement or Addendum

  • Keep a list of sub-processors

  • Help you identify the terms that are most friendly to you

  • Keep your Data Processing Agreement up to date if anything changes in the legislation (for example complying with deadlines of the recent update to SCCs or the introduction of the requirement to add UK IDTAs

  • Keep your Data Processing Agreement up to date if anything changes in your company (you add new features, change the data you use to provide your service or add or remove tools and third parties used in your company)

👏 This is a resource is built and maintained by Privasee. For more context please see the full blog post here.

⚠ Disclaimer

The information presented in this document is not the same as legal advice, where a lawyer applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. You may not rely on this as legal advice, nor as a recommendation of any particular legal understanding.

Related Articles
Do we need to share the list of tools and third parties we use? Is it a security risk?
What should I choose as my legal responsibility for a process?
Choosing a Data Retention Period for UK companies
Data Processing Agreement (DPA) Frequently Asked Questions (FAQ)
Adding a sub-processor to your inventory
Did this answer your question?