Data Processing Agreements (DPAs): Structure, Purpose & Key Clauses Under the DPDP Act, 2023

Behind every modern business lies a network of third parties like, cloud providers, payment gateways, analytics tools, all handling personal data in some form. But who is responsible when something goes wrong?

This is where a Data Processing Agreement (DPA) becomes critical under the Digital Personal Data Protection Act, 2023.

This post explains what a DPA is, why it matters, and how it is structured in practice.

1. What is a Data Processing Agreement (DPA)?

A DPA is a contract between a Data Fiduciary and a Data Processor.

• The Data Fiduciary determines the purpose and means of processing

• The Data Processor processes data on behalf of the fiduciary

Core Idea:Even if processing is outsourced, legal responsibility does not disappear.

2. Why DPAs are Important

DPAs ensure:

• Accountability in third-party data handling

• Clear allocation of responsibilities

• Legal protection in case of breaches

Practical Insight:Most data breaches today involve third-party vendors—DPAs are the first line of defence.

3. When is a DPA Required?

A DPA is required whenever:

• Personal data is shared with external service providers

• Processing is outsourced (e.g., cloud storage, payroll, analytics)

Examples:

• Using a cloud hosting provider

• Engaging a marketing automation platform

• Outsourcing HR or payroll processing

4. Typical Structure of a DPA

While formats vary, most DPAs include:

1. Definitions

2. Scope and Purpose of Processing

3. Obligations of the Processor

4. Obligations of the Fiduciary

5. Security Measures

6. Sub-processing (further outsourcing)

7. Data Breach Notification

8. Data Retention and Deletion

9. Audit and Inspection Rights

10. Liability and Indemnity

5. Understanding Key Clauses (With Illustrative Language)

The clauses below reflect how DPAs are generally structured in practice.

A. Scope and Purpose of Processing

Purpose: Define what data is processed and why.

Illustrative Language:

B. Processor Obligations

Typically includes:

• Processing only on instructions

• Maintaining confidentiality

• Ensuring security measures

Illustrative Language:

C. Security Safeguards

Focus: Protecting data against unauthorized access or loss.

Illustrative Language:

D. Sub-Processing Clause

Purpose: Control further outsourcing.

Illustrative Language:

E. Data Breach Notification

Critical clause in practice

Illustrative Language:

F. Data Retention and Deletion

Focus: What happens after processing ends.

Illustrative Language:

G. Audit and Inspection Rights

Purpose: Allow fiduciary to verify compliance.

Illustrative Language:

H. Liability and Indemnity

Focus: Allocation of risk.

Illustrative Language:

6. Practical Insights from Real-World Use

• DPAs are often standardized templates, but require customization

• Large companies impose strict DPA terms on vendors

• Negotiation usually happens around liability and audit clauses

Key Reality:Smaller vendors often resist stringent obligations.

7. Common Issues in Practice

• Signing DPAs without reviewing actual vendor practices

• Weak or vague security clauses

• No clear breach notification timelines

• Ignoring sub-processing risks

8. How to Approach This as a Law Student

Focus on:

• Understanding the relationship between fiduciary and processor

• Identifying risk allocation in contracts

• Observing how legal obligations translate into contractual clauses

Conclusion

A Data Processing Agreement is not just a contractual formality, it is a core compliance tool that governs how personal data is handled beyond the organization. Understanding its structure and purpose reflects a deeper grasp of both data protection law and commercial contracting.