Get Hold of Data Processing Agreements (DPAs) & Data Sharing Agreements (DSAs)

As personal data is the primary economic asset and regulatory liability in a world that demands more formalized means of sharing and processing data, organizations are evaluating their responsibilities over how they share and process data and considering agreements aiming to formalize their practices. The two key legal instruments that provide the structures for compliant and accountable data sharing and handling are the Data Processing Agreement (DPA) – under the General Data Protection Regulation (GDPR) and a Data Sharing Agreement (DSA) under the Digital Personal Data Protection Act, 2023 (DPDP Act) adopted in India.

Although both of these arrangements establish transparency, accountability, and security, there exist substantial differences across jurisdictions related to the processes, legal architecture, regulatory readiness, and enforcement frameworks. This paper explores the legal foundations of these agreements, critical sections, obligations for parties, challenges, and implications in relation to stakeholder requirements.

I. Legal Foundations and Key Definitions

A. Data Processing Agreement (DPA) – Under GDPR

Article 28(3) of the GDPR states that a Data Processing Agreement is a legally binding agreement between a data controller and data processor. The agreement is in place to ensure that the processor supports and follows the policies of the data controller and collects or uses personal data only according to the instructions of the data controller, and otherwise complies with the GDPR obligations set out in the legislation.

B. Data Sharing Agreement (DSA) – Under India’s DPDP Act

The Data Sharing Agreement is not specifically defined in statute but is implied under Section 8(2) of the DPDP Act, 2023. DSAs act as an agreement between fiduciaries (the data fiduciary) and one or more fiduciaries or processors ensuring the sharing of data has a lawful basis, is bound by the purpose of data sharing, consented to by the data principal, and can be audited.

Scope and Applicability

Aspect	GDPR (DPA)	DPDP Act (DSA)
Jurisdiction	EU and EEA	India; includes offshore processing
Data Covered	Personal data (broad)	Digital personal data only
Applicability	Controller-Processor relationship	Fiduciary-Fiduciary / Processor
Mandatory Contract	Yes (Article 28(3))	Implied via compliance obligations

II. Contractual Obligations and Clauses

A. Consent Management

• GDPR: Consent must be freely given, specific, informed and unambiguous. Data protection authorities (“DPAs”) must ensure that processors only process data if they have a legal basis to do so (Art. 6 & 7 GDPR).
• DPDP: Consent must be verifiable with Consent Managers and DSAs are responsible for assignment and designation for consent management from the latter, including for the purpose of withdrawal of consent.

Gap in DPDP: No way to deal with retrospective consent validation or updates clearly.

B. Data Subject Rights

• GDPR: Data subjects are provided enforceable rights on access, rectification, erasure, restriction, portability and objection (Articles 12 to 22).
• DPDP Act: Data principals are provided statutory rights which provide statutory rights as follows,
  • Right of access to information about processing (Section 12),
  • Right of correction, completion and erasure of personal data (Section 13),
  • Right of grievance redressal (Section 14), and
  • Right to nominate a representative when incapable, or upon death (Section 15).
  • Implication: DSAs under DPDP should voluntarily include these rights to align with international best practices.

Implication: DSAs under DPDP should voluntarily include these rights for alignment with international best practices.

C. Security and Confidentiality

• GDPR: Article 32 requires use of pseudonymisation, encryption, restricting access, access logs, audit logs, testing resilience.
• DPDP: There are no specified technical standards yet. Significant data fiduciaries must implement safeguards.

Recommendation: DSAs should include specific security obligations which are additional to the general confidentiality obligations.

D. Breach Notification

• GDPR: Controllers must notify the relevant authority within 72 hours. If the breach is likely to result in a high risk for individuals, the individuals must also be notified (Articles 33, 34).
• DPDP: A breach must be reported and notified to the Data Protection Board and affected individuals. There are no prescribed timeframes or format to follow.

Contractual Need: DPDP DSAs should specify breach thresholds, notification chains, and requirements for a set reporting template.

E. Cross-Border Data Transfers

• GDPR: Permissible using SCCs, Binding Corporate Rules (BCRs), or adequacy decisions (Chapter V).
• DPDP:Transfers permitted unless restricted by government notification. No SCC-style tool exists right now.

Best Practice: DPDP DSAs should follow similar structure to SCCs, to reduce uncertainty regarding compliance with cross-border data transfers.

F. Sub-processors and Third Parties

• GDPR: Must notify the sub-processor in writing in advance and they must have the same obligations as the data processor (Art. 28(2)).
• DPDP: Unclear requirements. They should have a back-to-back obligation in contracts.

Risk: Unclear requirements in DPDP will lead to data misuse in outsourced models.

III. Special Considerations for Platforms, Children, and Emerging Technologies

Platforms and Intermediaries

• The GDPR does not address Platforms as that term would be defined in the DPA but the EU Digital Services Act (DSA) clearly outlines that Very Large Online Platforms must moderate content, have transparency for algorithms, and provide protections for users safety.
• At this moment, the DPDP does not specifically address any platform obligations. However, further revisions to the Digital India Act is predicted to include explicit provisions for platform obligations.

DSA Preparation Tip: Platforms in India should proactively address moderation, transparency, and takedown measures in DSAs.

Children’s Data

• GDPR: Flexibility in the age of consent between 13 and 16; requires parental consent and child-friendly privacy policies.
• DPDP: 18 as a baseline; requires parental consent; does not include granularity for different age bands or services.

Recommendation: DPDP DSAs include protocol for age verification and exploration of graded access or progressive consent.

Automated Decision Making and AI

• GDPR: Article 22 gives the user a right not to be subject to fully automated decisions, including profiling.
• DPDP: Silent on this area, even though our reliance on AI in the delivery of services continues to grow.

Contract Clause Tip: DSAs should mandate that platforms create boundaries with respect to profiling, algorithmic decisions, and explainability obligations.

IV. Lifecycle Governance and Exit Protocols

GDPR

• DPAs must require the return or destruction of any data when the contract has been terminated (Art. 28(3)(g)).
• DPAs should mandate support with exit audits, data transfers, and certifications.

DPDP

• Requires deletion when the purpose has been achieved or consent has been withdrawn.
• No standard procedures for transitional support

Clause Suggestion: DPDP DSAs must have defined offboarding instructions to avoid indefinite data retention.

V. Enforcement and Remedies

Penalties

• GDPR: Fines of up to €20 million or 4% of global turnover, whichever is the greater penalty.
• DPDP: Fines of up to ₹250 crore (~€27 million) for each breach. Collected fines go to the Consolidated Fund of India.

Compensation Rights

• GDPR: Article 82 guarantees users a right to compensation from both controllers and processors.
• DPDP: No direct compensation to data principals; civil remedies may exist under tort or contract law.

Contractual Remedy Tip: Indian DSAs should build in arbitration, mediation, or compensation clauses to fill this enforcement gap.

VI. Regulatory Guidance and Framework Evolution

GDPR

• Supervisory Authorities in each Member State apply the regulations.
• Guidance from the European Data Protection Board (EDPB) and rulings from the CJEU (e.g., Schrems II, Fashion ID) influence enforcement.

DPDP

• Enforcement will be undertaken through the Data Protection Board of India.
• Final authority of rule-making and enforcement lies with the Central Government, including determining the conditions for Significant Data Fiduciaries, rules regarding breach incidents, and cross border rules.

Risk: Because the DPDP provides no judicial oversight when it come to state access, it may lead to state surveillance. Contracts should explicitly outline the relevant thresholds for government access and audit trails.

VIII. Strategic Recommendations for Stakeholders

1. For Data Fiduciaries:
   • Use SCC-style DSAs with modules for consent, breach, audit, and exit procedures.
   • Proactively prepare for platform regulation and AI governance in future laws.
2. For Processors and Vendors:
   • Demand clarity on sub-processor liabilities.
   • Include audit rights and indemnities in contracts.
3. For Legal Teams:
   • Harmonize DPA and DSA templates for multinational compliance.
   • Regularly update contracts based on evolving DPDP Rules and Digital India Act developments.

Beyond compliance, it’s trust that defines true data protection.

Though DPAs under the GDPR and DSAs under India’s DPDP Act are both aimed at protecting user data, the vastly different areas of scope, maturity, enforceability and purpose have vastly differing structures. The GDPR has a full rights-based framework with enforceable forms of recourse, while the DPDP Act is an evolving framework with pieces of promise that are not yet fully cohesive.

Organizations that have traditionally relied upon the use and incorporation of contract clauses in their Data Sharing Agreement(DSA) and Data Processing Agreement (DPA) should set aside the notion of just compliance, and instead establish not only strong, but interoperable clauses regardless of whether they are found in Data Processing Agreement (DPA) or Data Sharing Agreement(DSA). If an organization is able to establish these, we not only help cypher down legal risk, but more importantly enable the building of trust with users- the valued currency of the digital economy.