For configuring your DPA, you’ll need to understand the terms processing, controller, processor, and subprocessor.

“Processing” of data refers to the handling of data in some way, e.g., collecting, organizing, transferring, etc.

Generally speaking, a data controller decides and is responsible for how and why certain personal data is processed. The data processor handles the data on the controller’s behalf, based on directions from the controller.

For example, a social media company might be the controller of the personal data in its users’ accounts, while a cloud hosting provider that the social media company uses to store that data would be a processor of the data. Controllers usually work with multiple processors to perform different services regarding the data.

In most situations, vendors act as data processors. When a data processor in turn uses its own vendor to help process the personal data, that secondary processor is considered a subprocessor. DPAs typically include an authorization for the subprocessors that the data processor wants to work. You can think about processors and subprocessors the way you might think about a contractor hiring subcontractors to perform some of the services the contractor is required to perform under a contract.

Controllers, processors, and subprocessors are all considered to be “processing” personal data.

The Common Paper DPA supports two kinds of data processing relationships: Controller to Processor and Processor to Subprocessor. In each case, the former is assumed to be the customer, and the latter is assumed to be the provider of services. The customer can identify their role as either a “Controller” or “Processor” in the Data Exporter field on the Cover Page. The DPA refers to the provider’s data processing obligations, whether as a “Processor” or “Subprocessor”, through the defined term “Provider” in the DPA Standard Terms.