What is DPA?



One of the changes introduced by the European General Data Protection Regulations (GDPR) in 2018 is the DPA.

DPA, short for data processing agreement, is a legal document between a data controller and a data processor. If you wish to transfer your data to a third-party processor, you need to sign a DPA with that third party.

But what, exactly, does a DPA entail? What is DPA?


GDPR and data terminology

Data is a valuable commodity, and it needs protecting. When it comes to handling the personal data of EU citizens, that protection must comply with GDPR.

GDPR outlines measures that data controllers must follow to ensure the protection of EU consumer personal data. And part of this is ensuring that third party processors of such data are also compliant.

More specifically, in terms of the ‘what is DPA’ question, there are two key terms to understand: data controller, and data processor.

  • Data controller

The person or company that determines the conditions, purpose, and means of the data processing.

  • Data processor

The person or company that processes the data on behalf of the controller.


DPA – data processing agreement

GDPR allows a third party — outside of the EU — to complete the processing of the personal data of EU citizens. Provided, that is, the parties in question sign an agreement that regulates the processing.

Enter the data processing agreement. A DPA is a legal document that can be signed either in written form or electronically.

The purpose of a DPA is to outline the terms and conditions that apply to the processing of an EU citizen’s personal data. It ensures all data handlers operate within the General Data Protection Regulations. So, the scope and purpose of the data remain regulated, and the relationship between the data controller and the data processor is outlined and clear.


What should a DPA include?

What is a DPA but a guarantee that all companies involved are doing all they can to ensure the safety of data?

So, a DPA must have sufficient guarantees around the protection of the data shared with a data processor.

This includes outlining exactly what purpose the data is for. The DPA also needs to highlight acceptable use of the data — and make sure that the data is handled in accordance with your contract.

This means that the DPA should outline:

  • The subject matter
  • The duration of the processing
  • The nature and purpose of the processing
  • The legal basis of the processing
  • The rights and responsibilities of the controller and the processor

What happens if you don’t sign a DPA?

Processing personal data — and exchanging it with other businesses — is often a core part of many company’s offerings.

If you don’t sign a DPA and the third-party data processor mishandles the EU citizen’s data, you could be held liable. With a DPA, on the other hand, you have evidence that you’ve taken all necessary steps to ensure data protection and compliance.

The cost of liability not only covers any potential financial recompense you must pay, but also the trust of your customers. (That is, those providing their personal data.)


What is DPA?

To sum up, DPA, or data processing agreement, is an important legal document geared towards keeping data safe while it’s being processed.

With the ever-enhanced awareness around data security and the variety of legislation on the matter, it’s important to protect your data and your company.

So, a DPA is a necessity whenever you outsource your data processing to a third party.


Useful links

The data lifecycle: explained

Is data a liability?

The history of data


Download