Contracts that Count: Mastering the 10 Most Negotiated Provisions in a Data Processing Agreement

Privacy PowerUp #12

When it comes to privacy contracting, the Data Processing Agreement (DPA) is more than just paperwork. It’s the foundation of trust between data controllers and processors. It defines how personal data is handled, protected, and safeguarded from risk.

Whether you’re overseeing a global compliance program or managing third-party risk for your organization, understanding the most negotiated provisions in a DPA is essential. These terms don’t just impact legal exposure; they influence operational efficiency, business resilience, and regulatory alignment. In an era when data is both an asset and a liability, knowing how to negotiate a DPA confidently is critical.

Let’s walk through the 10 most debated and impactful sections of a DPA so you can approach your next negotiation with clarity and conviction.

1. Scoping: Define the data game plan

Every DPA begins with a scoping exercise, and it’s one of the most revisited parts of the negotiation. Why? Because it frames the entire agreement.

Key factors include:

• Types of data: Are you dealing with employee data, consumer financials, or health information? The sensitivity level determines downstream obligations.
• Volume: A processor handling millions of records has a drastically different risk profile than one supporting a handful of service tickets.
• Nature of processing: Is the data being stored passively, or actively analyzed and enriched?
• Relationship of the parties: Are you operating in a controller–processor structure, or as joint controllers? This defines who is responsible and liable for what.

When the scope is vague, risk thrives. When the scope is clear, responsibilities are aligned.

2. Limitations on use: Draw clear boundaries

Under GDPR Article 28(3), processors may only act on documented instructions from the controller. That sounds simple until future use cases, like analytics or AI training, enter the conversation.

Typical negotiation questions include:

• Can data be repurposed for machine learning or benchmarking?
• Should the DPA include room for evolving business models?
• Will overly narrow terms stifle innovation, or will vague terms invite misuse?

The goal is to strike a practical balance of enough specificity to ensure legal compliance, with enough flexibility to accommodate legitimate business growth.

3. Subprocessors: Managing the vendor chain

Subprocessing introduces new layers of risk. Under Article 28(2), controllers must authorize subprocessors before data changes hands.

Three areas tend to drive negotiations:

• Specific vs. general authorization: Should every new subprocessor require approval, or is notice and objection sufficient?
• Objection procedures: If a controller pushes back, does it trigger a timeline for resolution or termination rights?
• Transparency and reporting: Will there be ongoing visibility into subprocessor lists and activities?

Subprocessor clauses are increasingly scrutinized as organizations strengthen their vendor risk programs. Controllers want assurance that their data won’t be passed down the line without oversight.

4. Security incident notification: Set realistic timelines

The GDPR requires that processors notify controllers of a breach “without undue delay,” but that phrase leaves too much room for interpretation.

Controllers typically push for defined timelines such as 24 or 48 hours. Processors, however, may resist due to internal limitations or dependencies on upstream vendors.

Other common areas of negotiation include:

• What qualifies as a notifiable incident?
• Do attempted breaches or outages count?
• Will the processor offer regular updates or just a single notification?

Precise language here helps ensure that the controller isn’t left in the dark during critical moments.

5. Security incident remediation: Who does what and when?

After a breach is reported, what happens next? This section addresses the collaborative response between the controller and the processor.

Key considerations:

• Remediation expectations: What actions must the processor take, and are they clearly outlined?
• Controller involvement: Does the controller have a say in the response strategy?
• Escalation paths: Who are the designated contacts on both sides?

The DPA should provide structure, not confusion, in moments of crisis. Timely, well-documented remediation protects both parties from compounding the damage.

6. Audit rights: Trust, but verify

Article 28(3)(h) gives controllers the right to audit processors, but that right is frequently narrowed in negotiation due to concerns over cost, burden, and confidentiality.

Discussion points typically include:

• Use of third-party certifications: Can a SOC 2 or ISO 27001 report satisfy audit requirements?
• Cost allocation: Who covers expenses for on-site audits?
• Frequency and scheduling: Are audits limited to once per year? How much advance notice is required?
• Confidentiality obligations: How is proprietary information protected during the audit process?

A well-crafted audit clause balances transparency with practicality, ensuring accountability without unnecessary disruption.

7. Indemnity and limitation of liability: Navigating legal exposure

Controllers often want strong indemnity language for breaches, noncompliance, and third-party claims. Processors, understandably, push back with limitation of liability clauses.

Points of friction often include:

• Whether indemnity applies only to violations of the DPA or extends to broader regulatory noncompliance.
• Whether caps are tied to contract value, annual fees, or another metric.
• Whether certain types of liability (like gross negligence or willful misconduct) should be excluded from the cap.

This provision is often one of the last and toughest to resolve. The stakes are high, and both sides need to be aligned on how much risk they’re willing to bear.

8. Standard Contractual Clauses (SCCs): Cross-border clarity

With data flowing across borders, SCCs are essential tools to safeguard personal data in jurisdictions without an adequacy decision.

Negotiation areas include:

• Optional clauses: Should the parties include discretionary terms from the SCCs?
• Annexes I–III: How detailed should the documentation be? Too much information may feel risky; too little invites regulator scrutiny.
• Technical and organizational measures (TOMs): Are they mirrored from the main DPA? Should they be more prescriptive?

In the post-Schrems II environment, correctly implementing SCCs is not just best practice—it’s table stakes.

9. Data Subject Access Requests (DSARs): Define the division of labor

Article 28(3)(e) requires processors to assist controllers in fulfilling data subject rights. That requirement is often interpreted differently on both sides.

Negotiation often centers around:

• Timelines: Under GDPR, controllers have one month. They may ask processors for turnaround in days, not weeks.
• Level of support: Is the processor providing raw data only? What about redactions, formatting, or identity verification?

Controllers want meaningful support, and processors want to avoid becoming the controller’s privacy team. Clearly defined responsibilities reduce friction and ensure compliance.

10. Technical and Organizational Measures (TOMs): The foundation of trust

TOMs serve as the security blueprint for data protection and are mandatory under both Articles 28 and 32 of the GDPR.

Issues typically debated:

• Whose TOMs govern—the controller’s, the processor’s, or a hybrid approach?
• How much detail is included? Controllers often want specifics, while processors may prefer high-level language to maintain operational flexibility.
• Are TOMs negotiable, or standardized across all customers?

This section should inspire confidence. When security practices are clearly articulated and tailored to risk, both parties benefit from greater clarity and shared expectations.

Privacy contracting is a strategic advantage

Data Processing Agreements are often treated like routine documentation, but they’re anything but. Every DPA is a strategic document that allocates legal risk, defines operational accountability, and serves as a compliance safeguard in an increasingly complex regulatory landscape.

Privacy professionals who understand how to negotiate the most important provisions—scope, use limitations, subprocessing, security, audit rights, liability, SCCs, DSARs, and TOMs—aren’t just managing risk. They’re driving business resilience and enabling data innovation with confidence.

The urgency is real. Regulatory pressure is rising, and enforcement is intensifying. Organizations that overlook the DPA until something goes wrong may find themselves exposed at exactly the wrong time.

Continue mastering the privacy essentials by reviewing all the resources in the Privacy PowerUp series.

Read more from the Privacy PowerUp Series:

1. Getting Started in Privacy
2. Data Collection, Minimization, Retention, Deletion, and Necessity
3. Data Inventories, Mapping, and Records of Process
4. Understanding Data Subject Rights (Individual Rights) and Their Importance)
5. The Foundation of Privacy Contracting
6. Choice and Consent: Key Strategies for Data Privacy
7. Managing the Complexities of International Data Transfers and Onward Transfers
8. Emerging Technologies in Privacy: AI and Machine Learning
9. Privacy Program Management: Buy-In, Governance, and Hierarchy
10. Managing Privacy Across the Organization
11. Assess the Risk Before it Hits
12. Contracts that Count
13. Sell, Share, Beware
14. Building a Privacy-Approved Vendor Management Program
15. Tracking Technologies Untangled
16. Data Inventory: Next-Level Classification for Privacy Professionals
17. Incident Incoming–Now What?