UW Privacy Office

Data Processing Agreement


Data Processing Agreement

A Data Processing Agreement (DPA) helps uphold UW’s values and principles related to privacy and addresses laws and regulations that govern the protection of personal data. A DPA also establishes the purpose and parameters for data processing and clarifies roles and responsibilities between the UW and a third party (e.g. non-UW entity, sponsor, affiliate, supplier, contractor).

DPA for Controller to Processor Relationship

A DPA for UW as a Controller and third party as a Processor is required when a UW unit:

  • Makes decisions about the purpose and means for processing personal data; and
  • Engages a third party for data processing, such as sharing, storing, or providing access to personal data.

Download C-to-P DPA [docx]

DPA for Controller to Controller Relationship

A DPA for Controller to Controller relationship is required when a UW unit and the third party both make decisions about the purpose and means for processing personal data.

Pending: C-to-C DPA [docx]

The UW Privacy Office does not recommend modifying or negotiating DPA templates unless you have or engage appropriate privacy or legal expertise. The UW Privacy Office assists as described in and by way of the DPA Support Request Form below.

Standard Contractual Clauses

Standard Contractual Clauses (which may accompany a DPA) are terms and conditions that only apply to transfers of personal data from the European Economic Area and Switzerland to certain countries (such as the United States) that do not have laws that protect personal data in comparable ways. The DPA makes these Standard Contractual Clauses applicable when data processing involves such transfers. These Standard Contractual Clauses are issued by the European Commission and cannot be modified. UW units that use the Standard Contractual Clauses may only populate the highlighted placeholders.

Standard Contractual Clauses (SCC) 1.0

For agreements signed on or before September 26, 2021, the Standard Contractual Clauses 1.0 will remain in effect until December 27, 2022. Do not use the Standard Contractual Clauses 1.0 after September 27, 2021.

Download SCC 1.0 [docx]

Standard Contractual Clauses (SCC) 2.0

For agreements signed on or after September 27, 2021, the Standard Contractual Clauses 2.0 are required by the European Commission.

Download SCC 2.0 [docx]

Decision Support Tool

UW Units should download and complete this form to help determine if they need a data processing agreement and/or standard contractual clauses.

Download DPA-SCC Decision Support Tool [docx]

If your unit will be placing an order for goods or services from a third party supplier through Procurement Services, then as noted on the Procurement Services Exception Items webpage, that your UW unit is responsible for:

If a data processing agreement is required, then after the order is placed or contract signed, your UW unit is responsible for registering the third party with the UW Privacy Office’s TrustArc Privacy Management Platform as noted below.


The below self-help resources are available to educate and guide UW units. These resources may be improved and updated over time. We encourage you to come back to this webpage and use the published versions of these resources rather than saving any copies of these resources.


The DPA Checklist guides units step-by-step through the proper use of a DPA.

Download DPA Checklist [docx]


The below DPA summary helps describe at a high level the intent for and substance of each section of the DPA.

Introduction, Parties and Effective Date

Creates clarity as to the contracting parties and the role of the DPA in the larger contracting relationship.


Gives meaning to terms that help UW articulate its privacy expectations, consolidate varying definitions in applicable laws, and address an evolving privacy landscape. Key features include:

  • The kinds of events or incidents that constitute a “Data Breach”;
  • A broad definition of personal data;
  • An inclusive term that captures the variety of activities relating to or operations performed on personal data (known as “Data Processing”); and
  • An individual’s request to exercise a privacy right available under applicable law (known as “Data Request”).

Standard of Care

Articulates a third party’s accountability for quality and sufficient personal data protection practices.

Purpose and Limits of Data Processing

Establishes that personal data may only be used to fulfill the specific purpose described in the DPA; prohibits secondary use of personal data; and when appropriate establish UW’s control of lawfulness, notice, and consent determinations.

Non-Disclosure and Data Requests

Requires the third party to keep personal data confidential and to assist UW in responding to individuals who exercise legal rights relating to their personal data (such as access, correction, limitation of use, erasure, etc.)

Compliance and Data Transfers

Helps ensure that the third party is aware of and adheres to the legal and regulatory requirements that relate to University or personal data that is being processed.  Also establishes a mechanism for cross-border data transfers from the European Economic area and/or Switzerland to the United States.

Safeguarding Data

Requires a third party to implement appropriate administrative, technical, and physical security measures to protect personal data.

Data Breach Response

Articulates how a third party should respond if it experiences a data breach. Also enables UW to determine how to best manage its compliance obligations and its communications with and/or support to individuals who entrusted UW with their personal data.

Disposition of Personal Data Upon Termination or Fulfillment of Purpose

Enables UW to determine what happens to personal data when it is no longer needed for data processing described in the DPA or when the underlying agreement (ex. a service contract) comes to an end.

General Terms

Creates contractual mechanisms to maintain the integrity of the DPA and clarify aspects of its use.

Description of Data Processing Exhibit

Requires the parties to the DPA to articulate certain details such as why personal data is included in data processing; what data processing activities will take place; and what specific personal data will undergo data processing.

Third Party Data Processing Assessment

The Privacy Impact Assessment for DPA Modifications helps UW units make informed decisions about a third party’s proposed modifications to a DPA by documenting and assessing if and how the modifications:

  • Impact individuals’ privacy; and/or
  • Introduce risk for UW

Download PIA for DPA Modifications [docx]

Glossary of Privacy Terms

The UW Privacy Office Glossary of Privacy Terms introduces and defines terms used throughout this and other areas of the website. Review the Glossary of Privacy Terms webpage here.

Online Training

View the training videos below to determine whether a DPA for a Controller to Processor relationship is required, understand how to complete a DPA and make use of self-help resources, and, if needed, get help from the UW Privacy Office. All videos offer closed captioning.

Note: the DPA for a Controller to Processor relationship was previously the Personal Data Processing Agreement (PDPA). Any reference or use of the term “PDPA” in the training videos should be considered DPA.

Part 1: Do I Need a PDPA? (4:03 minutes)

Part 2: I Need a PDPA – Now What? (3:06 minutes)

Part 3: I Need Help with a PDPA (1:33 minutes)

Part 4: Third-Party Data Processing (11:08 minutes)

Video version with closed captioning is underway. UWNetID required to view.
Third Party Data Processing Intro Screen

Third-Party Data Processing Info Session


The Privacy FAQs webpage includes answers to frequently-asked-questions (FAQs) about DPAs.

Support Request

The DPA Support Request Form is for UW units to seek assistance from the UW Privacy Office in connection with:

  • Understanding and using the DPA resources;
  • Populating placeholders in the DPA or the Description of Data Processing Exhibit; or
  • Assessing a contractor’s proposed modifications when the contractor’s anticipated data processing involves two of the following:
    • + Special categories (such as information relating to minors, older adults or seniors, criminal offenses, citizenship and/or immigration status, race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data used to identify a natural person, health, sex life, or sexual orientation);
    • + Personal data contained in or relating to approximately 30,000 or more records or individuals, respectively, over the lifetime of the data processing; or
    • + Data processing that individuals would consider intrusive or would not have reasonably expected at the time they first entrusted their personal data to the UW.

Request Form

Request assistance from the UW Privacy Office through the DPA Support Request Form. [UWNetID required]

DPA Support Request Form

Data Processing Registry

UW units that engage a third party in data processing must register the activity in the TrustArc Privacy Management Platform.