A Data Processing Agreement (DPA), often referred to as a processing contract, is a document by which a data controller authorizes another party to process personal data on its behalf. It concerns personal data collected by the controller in the course of its business activities—typically data relating to customers, employees, or business partners. Such an agreement is mandatory whenever the controller entrusts the processing of personal data to a third party, known as the processor.
Under Article 28 of the GDPR, a DPA must contain specific mandatory elements and must be concluded in writing. It can be set up either as a standalone agreement or as part of another contract. The DPA defines how and to what extent the processor may handle personal data.
The primary responsibility for the content of the DPA lies with the data controller. Since supervisory authorities may impose significant fines for breaches of GDPR obligations, properly drafting this agreement is essential. In practice, we therefore recommend including provisions on liability, contractual penalties, and procedures to follow in case of a processor’s non-compliance.
We will prepare a Data Processing Agreement tailored to your specific operations and relationships with processors. We will ensure that all mandatory elements are clearly described, that the document is written in an understandable way, and that it functions effectively in everyday practice. A well-structured DPA provides you with legal certainty that your cooperation with processors is fully compliant with the GDPR.
