Who Signs Data Processing Agreement

Data processing agreements (DPAs) are becoming increasingly important in today`s world, where personal data is being constantly exchanged and processed. A DPA is a legally binding agreement between two parties (controller and processor) that outlines how the processor will handle personal data on behalf of the controller, in compliance with data protection laws. But who exactly should sign a DPA? In this article, we’ll explore the parties involved in a DPA and who should sign it.

Who Needs to Sign a DPA?

There are two parties involved in a DPA:

1. Data Controller: The data controller is the entity that determines the purpose and means of processing personal data. They are responsible for ensuring compliance with applicable data protection laws, including GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act). The data controller can be an individual or an organization.

2. Data Processor: The data processor is the entity that processes personal data on behalf of the data controller. They can be a third-party service provider, such as a cloud service provider, IT support company, or marketing agency. The data processor is responsible for ensuring that they comply with the data protection laws and the terms of the DPA.

Both the data controller and data processor need to sign the DPA. The data controller is responsible for ensuring that the data processor adheres to the terms of the DPA and the relevant data protection laws. The data processor is responsible for handling personal data in accordance with the DPA and the data controller`s instructions.

In some cases, there may be multiple data controllers involved, such as when several organizations collaborate on a data project. In such cases, the data controllers should sign a joint DPA, outlining their respective responsibilities.

What Should a DPA Include?

A DPA should include the following:

1. Scope and purpose: The DPA should define the scope and purpose of the processing activity, including the types of personal data being processed, the categories of data subjects, and the duration of the processing.

2. Obligations of the data processor: The DPA should outline the obligations of the data processor, such as confidentiality, data security, and notification of data breaches.

3. Obligations of the data controller: The DPA should outline the obligations of the data controller, such as ensuring that personal data is accurate, up-to-date, and relevant.

4. Data subjects` rights: The DPA should outline how data subjects can exercise their rights under GDPR or CCPA, such as the right to access, rectify, or delete their personal data.

5. Liability and indemnification: The DPA should outline the liability and indemnification provisions, including any limitations on liability.

6. Termination and suspension: The DPA should outline the circumstances under which the DPA can be terminated or suspended.


In conclusion, both the data controller and data processor need to sign a DPA to ensure compliance with data protection laws and protect data subjects` rights. The DPA should include key provisions such as scope, obligations, data subjects` rights, liability, and termination. By signing a DPA, both parties are legally bound to comply with the terms of the DPA and data protection laws.