Data Processing Agreement Under GDPR

A data processing agreement under GDPR explains how a controller and processor will handle personal data, what safeguards apply, and why every SaaS or cloud vendor relationship needs one.

A DPA is a legally binding contract between a data controller (the organization that determines why and how data is processed) and a data processor (the third party that processes data on the controller's behalf). Common processor relationships include cloud hosting providers, email services, analytics tools, and payment processors.

Key Requirements

DPAs must specify the subject matter and duration of processing, the nature and purpose of processing, the types of personal data involved, and the categories of data subjects. They must also include binding obligations on the processor: processing data only on documented instructions from the controller, ensuring staff confidentiality, implementing appropriate security measures, assisting with data subject requests, deleting or returning data upon contract termination, and allowing audits.

Sub-Processors

When a processor engages another processor (a sub-processor), the original processor must obtain authorization from the controller. The DPA should address sub-processor management, including notification requirements and liability.

Practical Implications

Many businesses underestimate their DPA obligations. Every SaaS tool, cloud service, or third-party integration that accesses personal data requires a DPA. Organizations should audit their vendor relationships, ensure DPAs are in place for all processors, and regularly review these agreements to ensure they reflect actual data processing practices.

Failure to maintain proper DPAs can result in GDPR fines and leaves organizations exposed if a processor causes a data breach.