DPA (Data Processing Agreement)
Mandatory contract under Article 28 GDPR for data processing on behalf of a controller
TL;DR
A Data Processing Agreement (DPA) is a contract required under Article 28 (3) GDPR whenever a controller has personal data processed by a service provider. It governs 8 mandatory contents: subject matter, duration, nature and purpose, categories of data, obligations and rights, as well as confidentiality, sub-processing, assistance with data subject rights, and TOMs.
What is a DPA (Data Processing Agreement)?
The DPA is mandatory under Article 28 (3) GDPR for every instance of processing on behalf of a controller. Such processing exists whenever an external service provider processes personal data on the instructions of the controller — typical examples: IT hosting, cloud services, newsletter distribution, external payroll. The 2024 clarification by BayLDA established that tax advisors are not processors but independent controllers — no DPA is required.
Practical example
A 30-employee mechanical engineering company concludes DPAs with: - Microsoft (M365 hosting) - Mailchimp (newsletter, third-country safeguard DPF) - HubSpot (CRM) - External payroll accountant (if classified as a processor) - IT systems integrator (maintenance with data access)