DPA
What is DPA?
DPAA Data Processing Agreement is the binding contract required by GDPR Article 28 between a data controller and processor when personal data is processed on the controller's behalf.
A Data Processing Agreement (DPA) is the written contract required by Article 28 of the EU General Data Protection Regulation (Regulation 2016/679) whenever a controller engages a processor to handle personal data on its behalf. It must specify the subject-matter, duration, nature and purpose of the processing, the categories of data and data subjects, and the controller's instructions. The DPA must impose obligations to process only on documented instructions, ensure confidentiality, implement appropriate security measures (Art. 32), assist with data-subject rights and breach notification, allow audits, address sub-processor engagement, and govern return or deletion of data at the end of services. Similar duties exist under the UK GDPR and many non-EU laws (LGPD, CPRA, PIPEDA).
● Examples
- 01
A controller signing a DPA with a cloud provider before storing customer data on its infrastructure.
- 02
A SaaS vendor publishing a standard DPA template referencing the 2021 EU Standard Contractual Clauses for international transfers.
● Frequently asked questions
What is DPA?
A Data Processing Agreement is the binding contract required by GDPR Article 28 between a data controller and processor when personal data is processed on the controller's behalf. It belongs to the Compliance & Frameworks category of cybersecurity.
What does DPA mean?
A Data Processing Agreement is the binding contract required by GDPR Article 28 between a data controller and processor when personal data is processed on the controller's behalf.
How does DPA work?
A Data Processing Agreement (DPA) is the written contract required by Article 28 of the EU General Data Protection Regulation (Regulation 2016/679) whenever a controller engages a processor to handle personal data on its behalf. It must specify the subject-matter, duration, nature and purpose of the processing, the categories of data and data subjects, and the controller's instructions. The DPA must impose obligations to process only on documented instructions, ensure confidentiality, implement appropriate security measures (Art. 32), assist with data-subject rights and breach notification, allow audits, address sub-processor engagement, and govern return or deletion of data at the end of services. Similar duties exist under the UK GDPR and many non-EU laws (LGPD, CPRA, PIPEDA).
How do you defend against DPA?
Defences for DPA typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for DPA?
Common alternative names include: Data Processing Addendum, Article 28 Contract, Processing Agreement.
● Related terms
- compliance№ 440
GDPR
The European Union's General Data Protection Regulation governing the processing of personal data of individuals in the EU and EEA.
- compliance№ 974
SCC
Standard Contractual Clauses are EU Commission-approved model contracts that provide GDPR-compliant safeguards for transfers of personal data outside the EEA.
- compliance№ 357
DPF
EU-US Data Privacy Framework, the July 2023 adequacy mechanism that replaces Privacy Shield for transatlantic transfers of personal data.
- privacy№ 856
Privacy by Design
An engineering and governance approach that embeds privacy considerations into systems, processes, and defaults from the earliest design stages rather than bolting them on later.
● See also
- № 228CPRA