Data Processing Agreement (DPA)
Definition
A legally binding contract between a data controller and a data processor that governs how the processor handles personal data on the controller's behalf. GDPR Article 28 requires written contracts addressing specific elements: processing scope and purpose, data types and categories of data subjects, controller's obligations and rights, processor's obligations including following controller instructions, security measures, sub-processor approval and contracts, data breach notification, assistance with data subject requests and compliance obligations, data deletion or return after services end, audit and inspection rights, and confidentiality requirements. DPAs protect controllers by ensuring processors handle data appropriately, provide clarity about responsibilities and liabilities, establish accountability mechanisms, and facilitate compliance with privacy laws. Standard DPA templates exist, but they should be tailored to specific processing activities. Organizations should maintain executed DPAs with all vendors processing personal data on their behalf.
Applicable Laws & Regulations
- 1GDPR Article 28 - Processor contract requirements
- 2GDPR Article 28(3) - Mandatory DPA elements
- 3Various privacy laws requiring processor contracts