What is a data protection clause?

A provision, often a standalone data processing agreement, governing how a vendor processes personal data on a customer's behalf and meets privacy-law requirements.

What is the difference between a controller and a processor?

A controller decides why and how personal data is processed. A processor handles the data on the controller's behalf and only on its documented instructions. The DPA assigns these roles.

When do you need a data processing agreement?

Under the GDPR, whenever a processor handles personal data for a controller. Many US state privacy laws and the CCPA require similar terms with service providers.

What are the Standard Contractual Clauses?

EU-approved model terms that provide a lawful basis for transferring personal data outside the EEA. A DPA typically incorporates them as an addendum for cross-border transfers.

What must a processor do under a DPA?

Process data only on instructions, keep it confidential and secure, control sub-processors, assist with data-subject requests, notify breaches, and delete or return data at the end.

How quickly must a data breach be reported under a DPA?

The DPA sets the window. Processors commonly must notify the controller without undue delay after becoming aware, and controllers often push for a fixed number of hours.

Where does the data protection clause go in a contract?

It can sit inline as a clause in the main contract, but for anything beyond light data handling it is usually a standalone data processing agreement attached as an addendum, with the Standard Contractual Clauses as a further addendum for cross-border transfers.

Who is liable if a data processor causes a breach?

The DPA allocates it. Controllers push for an indemnity covering losses from the processor's breach of the DPA or privacy law, and often try to carve data-protection liability out of the general liability cap. Processors push back to keep it inside the overall cap.

97.5% of teams see value from GC AI before month one.

Get A Demo

Home

Clauses

Data Protection (DPA) Clause

A provision, often a standalone data processing agreement, that governs how a vendor processes personal data on a customer's behalf and meets privacy-law requirements.

Reviewed by

GC AI Solutions Team

•

Updated

June 2026

Definition

A data protection clause, frequently a standalone data processing agreement (DPA), governs how one party processes personal data on another's behalf. It assigns the controller and processor roles, limits the processor to the controller's documented instructions, and requires confidentiality, security measures, sub-processor controls, breach notification, and assistance with data-subject requests. For transfers out of the EEA or UK, it incorporates the Standard Contractual Clauses. GDPR Article 28 makes most of these terms mandatory whenever a processor handles personal data, so the DPA is less negotiable on substance and more about scope, liability, and the sub-processor and audit mechanics.

Assigns controller and processor roles and limits processing to documented instructions
Requires confidentiality, security measures, and assistance with data-subject requests
Controls the use of sub-processors and the right to object to new ones
Sets breach-notification duties and timing
Governs international transfers, incorporating the Standard Contractual Clauses

As US state privacy laws proliferate, DPAs increasingly map a single set of obligations to both GDPR processor duties and CCPA service-provider terms.

What It Does

A data protection clause is the part of a commercial contract that privacy regulators actually read. It sets the rules for handling personal data when one company processes it for another. Privacy law, led by the GDPR, requires a written agreement with specific terms before a processor can touch a controller's personal data, so this clause is often non-optional rather than a nicety. For in-house counsel, the substance is largely fixed by statute, and the leverage is in scope, sub-processor approval, breach-notice timing, audit rights, and how liability for a breach is allocated. The operative questions are who is controller and who is processor, what instructions bind the processor, and how transfers and sub-processors are handled. A practical test: if a vendor can add sub-processors or move data overseas without telling you, your DPA is not protecting your data subjects.

When You'll See It

The data protection clause appears in SaaS and cloud agreements, service agreements and SLAs, vendor and outsourcing contracts, marketing and analytics deals, research collaborations, and transition services agreements. It is usually a standalone DPA attached to the main contract, with the Standard Contractual Clauses as an addendum for cross-border transfers. It is most heavily negotiated in enterprise SaaS, where sub-processor lists, audit rights, and breach-liability caps are the live issues.

It matters most wherever a vendor touches personal data the customer is responsible for, such as a cloud platform, a payroll provider, or an analytics tool. The more personal data a vendor processes, the more the DPA carries the privacy-compliance load.

Examples

Relativity ODA LLC / KLDiscovery Ontrack, LLC

Data Processing Agreement

Controller-processor: documented instructions

Mutual

2023

"The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement[...]"

Source

Relativity ODA LLC / KLDiscovery Ontrack, LLC

Data Processing Agreement

Sub-processor authorization

Mutual

2023

"The processor has the controller's general authorisation for the engagement of sub-processors from an agreed list. The processor shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least 30[...]"

Source

Alliance Data Systems Corporation / Loyalty Ventures Inc.

Transition Services Agreement

Documented instructions + EEA transfer

Mutual

2021

"[the processor shall process the personal data] for the sole purpose of providing the Services and only on documented instructions from the controller, including with regard to transfers of personal data outside the European Economic Area or to an international organization[...]"

Source

Amgen Inc. / RBNC Therapeutics, Inc.

Research Collaboration and License Agreement

Personal Information + third-country transfer

Mutual

2021

"[the Processing Party shall:] (i) process the Personal Information only on documented instructions from the controller and in accordance with applicable Law, including with regard to transfers of Personal Information to a third country or an international organization[...]"

Source

Negotiate

If you're the controller

Customer, you want protection

Bind the processor to your documented instructions and bar any other use of the data.
Require advance notice and a right to object before any new sub-processor is added.
Set a short, fixed breach-notification window, measured in hours where you can get it.
Keep meaningful audit rights and require deletion or return of data on termination.
Incorporate the current Standard Contractual Clauses for any transfer outside the EEA or UK.
Get an indemnity for losses caused by the processor's breach of the DPA or of privacy law, sitting outside (or carved out of) the general liability cap.

If you're the processor

Vendor, you want workable terms

Limit instructions to the documented scope and charge for work beyond it.
Use a general sub-processor authorization with a notice-and-object process, not per-vendor consent.
Tie breach notification to "without undue delay" after confirmation, not on mere suspicion.
Scope audits to once a year on notice, or to a third-party report.
Cap data-protection liability and align it with the agreement's overall liability terms.

Most of a DPA is fixed by law. Spend your time on sub-processors, breach timing, and who pays when data leaks.

Red Flags

A processor permitted to use the data for its own purposes, beyond the controller's instructions.
Sub-processors allowed with no notice or right to object, so your data moves to unknown vendors.
A vague breach-notification trigger or a long window that delays your own regulatory deadlines.
No transfer mechanism for data leaving the EEA or UK, leaving cross-border processing non-compliant.
A data-protection liability carve-out or cap that leaves the controller exposed for the processor's breach.

FAQs

Related Clauses

Confidentiality

A contractual provision requiring one or both parties to keep specified information secret and use it only for an agreed purpose.

Indemnification

A contractual provision in which one party agrees to cover specified losses or third-party claims that the other party incurs.

Limitation of Liability

A contractual provision that caps the amount and types of damages one party can recover from the other.

Representations and Warranties

A set of factual statements each party makes about itself and the deal, which the other party relies on and can sue over if they prove untrue.

Notices

A provision, also called a notice provision, setting how the parties must deliver formal communications under the contract and when those notices count as legally received.

This content is for informational purposes only and does not constitute legal advice.

Try GC AI Free

Find Every Gap in Your Data Protection (DPA) Clause

Trusted by 1,700+ in-house teams

Upload your contract. In 60 seconds, see every missing trigger, weak notice window, and one-sided fee provision, quoted exactly where it appears.

Start My Free Trial

Book a Demo

14-day free · No credit card required