Skip to main content

A Data Agreement records the conditions for an organisation to process personal data by privacy regulations (e.g. GDPR) captured in a signed receipt given to the individual. A Data Protection Impact Assessment (DPIA) may be used to populate the record to automate the record creation, increase accountability, and reduce regulatory compliance risks.

In, personal data exchanges from a Data Source to a Data Using Service are endorsed via Data Agreements. Data Agreements can be based on any lawful basis (e.g. consent, lawful purpose, contract, legal obligation, vital interests, public task and legitimate interests, etc.). For those data agreements without consent, individuals will only have limited or no rights to withdraw the consent; however, the individual can still follow what data is processed and why transparently.

Several steps are required from different actors to create the Data Agreement and the resulting receipt as proof. The receipt itself is signed (as a verifiable credential) and acts as evidence, demonstrates a higher level of accountability, and is based on standard schemas. This documentation describes the steps involved and is described as part of a Data Agreement lifecycle.

Data Agreement Lifecycle

The Data Agreement Lifecycle has 4 main phases as described below:

Data Agreement workflow

  1. Definition: An authority adapts the data agreement schema to a particular industry and/or sector-specific data usage as a template in this phase. This can then be used by any organisation (Data source or Data Using Service) for a particular data usage purpose.

  2. Preparation: In this phase, an organisation uses an existing data usage template and prepares it to be published towards the individuals. This could be based on a DPIA and could be for internal use of data or for data exchange to a Data Using Service. Once the Data Agreement is prepared, any changes identified from a subsequent DPIA shall update the Data Agreement and go through a new preparation process. When an agreement is updated or terminated, the individuals are notified, and a record is created.

  3. Negotiation/Capture: In this phase, an individual reviews the Data Agreement and, once agreed, it is captured in a Data Agreement record by the organisation and the individual is given a Data Agreement receipt as evidence of the agreement. The Data Agreement receipt can be used as proof of the data transaction that occurred. This allows an auditor to check and ensure records are in place to process the individual's personal data. When the agreement is terminated and no longer applies to an individual, a new record is created. The termination can be due to the completed service period or an individual requests to revoke the agreement. The record of the termination allows an auditor to inspect personal data that is not used. If an individual requests to be forgotten when terminating a service, it shall be clearly indicated.

  4. Proof: An organisation can demonstrate a valid Data Agreement record for performing a data exchange with an individual. This allows an auditor to check and ensure records are in place to process the individual's personal data.


A Data Protection Impact Assessment (DPIA) is a structured process where an organisation can identify and minimise the data protection risks involved in using personal data. It ensures that an organisation is compliant to data regulations, such as the GDPR. Article 35 of the GDPR requires organisations to conduct DPIAs, especially when the processing is likely to result in high risk to the rights and freedoms of natural persons in the case of extensive use of new technologies and when sensitive personal data is being processed (e.g. health-related data). Organisations can also conduct DPIAs voluntarily, even if the processing does not meet the requirement criteria set out in the GDPR.

Some EU Member State data protection authorities, such as the Finnish data protection ombudsman, have recommended using dataflow maps when conducting DPIAs. Dataflow maps visualize the flows of personal data across systems, organisations, and jurisdictions, and provide a good overview of the nature and scope of the processing and identify risks.

The outcome of a DPIA is mapped to a machine-readable Data Agreement. By integrating the DPIA into the lifecycle of the Data Agreement, an organisation can demonstrate how the privacy requirements of accountability, transparency, data sharing and retention procedures are fulfilled. If the DPIA report is part of an online tool, it is possible to continuously monitor an organisation's data flows and ensure any internal changes are reflected in the Data Agreement.

Data Agreement Lifecycle mapped to Enterprise Dashboard

These are the use cases covered by this specification. A mapping between the use cases and lifecycle phase can help map the involved actors described in the previous section.

#Lifecycle PhaseUse Case
1DefinitionImport machine-readable DPIA to pre-populate Data Agreement template.
2PreparationPrepare Data Agreement and issue it towards individuals (Organisational users).

The individuals are informed about the validity of the data agreement (E.g. revocation, expiry etc.)
3CaptureThe individual countersigns a Data Agreement and captures the Data Agreement receipt. E.g. via a digital rights management portal or using a digital wallet.

Individuals are also able to download the signed data agreement record and share it with an external auditor via an out-of-band process. This could be during a dispute, for e.g.

Individuals can also delegate the signing to another individual.
4ProofAudit of mutually signed data agreement by an external auditor.

Data Agreement Demonstration

Data Agreements are supported in all digital wallets (enterprise and individual wallets, including the SDKs), supporting the SSI workflows. The demo below showcases the Data Wallet capabilities using data agreements. Here, we combine our data exchange solution with permissions and consents - to ensure auditable and immutable personal data transactions. It shows how data agreements remove the barriers to consent-based, auditable and immutable data transactions.