Data Processing Agreement (DPA)

Feb 22, 20222 min read

Most organizations, be it businesses, associations, corporations, or institutions, cannot handle all their processing of personal data fully in-house. Even seemingly trivial tasks like simply storing their data or hosting their website, are outsourced to specialized third parties and often take place in the cloud. Those third parties thus process personal data on another organization's behalf, they are "Processors" in GDPR-terminology, while the outsourcing party is called the "Controller" as, at least in theory, it controls what the processor is doing.

To exercise such control, both parties need to be bound by a Data Processing Agreement (short: DPA) stipulating the details of the processing and the respective rights and obligations. The details such DPA and its minimum contents are set forth in Art. 23 Sec. 3 GDPR.

The core contents of a Data Processing Agreement are:

One important thing to note is that data protection must not just happen on paper but in reality. It is therefore important to not just sign a DPA but rather execute it like any other important business agreement.