What is a Data Processing agreement DPA?

A data processing agreement is a legal contract in which two parties (Data Controller and Data Processor) determine their rights and obligations while involved in data processing.

When is it necessary?

  • DPA is necessary if your business collects personal information from users and relies on a third party to process the data. It is also needed in order to avoid fines or penalties for non-compliance with Data privacy legislation.
  • A DPA helps assure users that the Data Controller is taking ownership of the data collection process because it verifies that the third-party processors it works with treat, handle, and store their information following relevant laws.
  • DPAs are also needed because they protect the Controller by contractually obligating any third-party processors to comply with relevant data privacy laws.
  • Without a DPA in place, there’s a chance the Controller will be held accountable for the third party’s unlawful data processing practices, should any occur.

What are the important Clauses to include in a DPA?

The following clauses should be included in a DPA:

  • Clause proving the purpose of processing personal data;
  • Clause on duration of data processing;
  • Clause on obligations of parties;
  • Nature and purpose of the processing;
  • Type of personal data and categories of data subjects;
  • Data collection minimization and processing limits clause;
  • Clause relating to retention and data storage periods;
  • Clause relating to rights of data subjects;
  • Data breach prevention clause;
  • Sub-processing clause;
  • Privacy and confidentiality clause; and
  • Data accuracy Clause.

Undertaking of parties to a DPA

  1. The Data Processor must agree to process data only on the written instructions of the Data Controller.
  2. Both parties to a DPA must agree to the confidentiality of those involved in the data processing e.g., employees, servants, agents, contractors or any other representative.
  3. The parties must list all measures that guarantee the security of the personal data.
  4. The data controller must ensure the delegated functions of the data processor are not outsourced to another data processor without the knowledge and consent of the controller.
  5. Both parties must agree to comply with the Data Protection (General) Regulations 2021 concerning their commitments to the data subjects’ rights. and
  6. Upon termination of the service the processor must agree to return personal data in its possession to the controller and delete every personal data on its end.

Timeline for taking actions e.g. reporting data breaches

  • For Data access request by a data subject a data controller or processor shall comply with a request by a data subject to access their personal data within seven days of the of the request.
  • Where personal data has been accessed or acquired by an unauthorized person, and there is a real risk of harm to the data subject whose personal data has been subjected to the unauthorized access, a data controller must notify the Data Commissioner within seventy-two hours of becoming aware of such breach and where the notification to the Data Commissioner is not made within seventy-two hours, the notification shall be accompanied by reasons for the delay.

Necessary information when reporting a data breach to the ODPC

A notification by data controller to the Data Commissioner of a notifiable data breach must include:

  1. the date on which and the circumstances in which the data controller or data processor first became aware that the data breach had occurred;
  2. a chronological account of the steps taken by the data controller or data processor after the data controller or data processor became aware that the data breach had occurred, including the data controller or data processor’s assessment that the data breach is a notifiable data breach;
  3. details on how the notifiable data breach occurred, where applicable;
  4. the number of data subjects or other persons affected by the notifiable data breach;
  5. the personal data or classes of personal data affected by the notifiable data breach;
  6. the potential harm to the affected data subjects as a result of the notifiable data breach;
  7. information on any action by the data controller or data processor, whether taken before or to be taken after the data controller or data processor notifies the Data Commissioner of the occurrence of the notifiable data breach to eliminate or mitigate any potential harm to any affected data subject or other person as a result of the notifiable data breach; or address or remedy any failure or shortcoming that the data controller or data processor believes to have caused, or enabled or facilitated the occurrence of, the notifiable data breach;
  8. the affected individuals or the public that the notifiable data breach has occurred and how an affected data subject may eliminate or mitigate any potential harm as a result of the notifiable data breach; or
  9. contact information of an authorized representative of the data controller or data processor.

At aowanga Advocates we are available to assist you in drafting and/or reviewing DPA. Feel free to contact us on or +254794600191

All rights reserved for A.O.WANGA ADVOCATES

Share your thoughts