Data Processing Agreement (DPA)

A data processing agreement (“DPA”) needs to be in place when a data controller engages a data processor. The DPA sets out the relationship between the two parties and the data being processed. 

Reading time: 1,5 minutes.

Data processing agreement (DPA) introduction

Data controllers have to make sure that the processor is transparent with them. If they don’t, they can’t be sure they are GDPR compliant. Data processors, in turn, must make sure that data controllers can allow them to process data. The parties have a shared responsibility for the data, which means that the DPA is very important. The DPA should contain rules regarding how the processor should act when processing personal data.
Data controllers should make sure that personal data is processed and collected legally.

Contents of the DPA

The data processing agreement should incorporate a large number of provisions. Below are some of the key provisions that a DPA should contain:

• provisions stating that the processor may only process personal data when it is necessary;
• guarantees that the instructions from the controller are correct and lawful;
• provisions regarding how the processor may process data,
• audit rights for the controller and the processor;
• how to handle a personal data breach;
• both parties’ duties in relation to the supervisory authority;
• confidentiality;
• potential compensation for breach of contract.

There is more to consider when drafting your DPAs. The information presented above is a list of the minimum requirements. Another thing that affects the DPA is the relationship between the parties. The sensitivity of personal data being processed is another factor.

Before drafting the DPA, we recommend that you consider what data is to going to be shared with the processor. You should also consider how the processor may use the personal data. We further recommend that you consult legal professionals to review your DPAs.