DPA (Data Processing Agreement)

A Data Processing Agreement is a contract required by GDPR (Article 28) whenever a data controller engages a data processor to handle personal data on their behalf. The DPA must specify the subject matter and duration of processing, the nature and purpose of processing, the types of personal data involved, the categories of data subjects, and the obligations and rights of the controller. It must also include provisions for security measures, sub-processing, data subject rights, data breach notification, data deletion/return, and audit rights. A DPA is essential for compliance with GDPR and similar regulations, and organizations should have DPAs in place with all vendors that process personal data.