What should a data processing agreement cover when data is transferred across borders?

When data is moving across borders, the agreement must specify who is responsible for the data, what processing will be done, where the data will be located or processed, and how transfers are legally safeguarded. Defining roles clarifies accountability and which party must meet obligations for data protection. Outlining the processing activities sets the scope of what is being done with the data, so both sides know their duties and the data subjects’ rights can be upheld. Identifying data locations helps assess applicable laws and risk, since different jurisdictions have different requirements and protections. Detailing transfer mechanisms (such as standard contractual clauses or other recognized safeguards) ensures that international transfers remain lawful and that data subjects retain protections even when data crosses borders. In contrast, items like marketing preferences, employee training schedules, or payment terms do not address the safeguards and accountability required for cross-border data transfers, so they aren’t the primary focus of a data processing agreement in this context.