When is a data processing agreement mandatory?

Whenever one party (a processor) processes personal data on the instructions of another (the controller), Article 28 GDPR requires a written DPA covering the listed minimum terms.

What must a DPA contain under Article 28 GDPR?

Subject matter, duration, nature and purpose of processing, type of personal data, categories of data subjects, and the obligations of the processor including security, sub-processor approval, assistance to the controller, and deletion or return of data at end of service.

Can a supplier refuse to sign a DPA?

A supplier acting as a processor is legally required to sign one. If they refuse, engaging them would put you in breach of GDPR. You should either find an alternative supplier or document why the arrangement falls outside the controller-processor relationship.

Is a standard contractual clause (SCC) the same as a DPA?

No. SCCs are the mechanism for lawful transfer of personal data outside the EEA. A DPA governs the processor relationship. Both may be needed: a DPA for the processing relationship and SCCs for the international data transfer.

Who is liable if a sub-processor causes a data breach?

The processor is fully liable to the controller as if it had caused the breach itself, unless it can show the sub-processor was at fault and it had met its own GDPR obligations. The controller remains liable to data subjects.

Data processing agreement (DPA)

A GDPR-required contract governing how a processor handles personal data for a controller.

Definición

A data processing agreement (DPA) is the contract the GDPR requires whenever a processor handles personal data on behalf of a controller. It must set out the subject matter, duration, nature and purpose of processing, the types of data and data subjects, and the processor's obligations on security, sub-processors, and assistance. Article 28 GDPR lists the mandatory contents, and in the Netherlands the AVG and Uitvoeringswet AVG apply.

Ejemplo

A company using a cloud payroll provider signs a DPA setting security measures, breach-notification timelines, and limits on sub-processors.

Por qué es un riesgo para la empresa

Operating without a DPA when one is required is itself a GDPR violation, independent of any data breach. Regulators have fined controllers for failing to have adequate processor agreements. Beyond compliance, a weak DPA may leave you without contractual recourse if your processor causes a data breach or misuses the data you entrusted to them.

Cómo gestionarlo

Identify every supplier that processes personal data on your behalf and ensure a DPA is in place before they start processing.
Check that the DPA lists all approved sub-processors and requires the processor to notify you before adding new ones.
Include breach-notification timelines in the DPA that are shorter than your 72-hour regulatory deadline, so you have time to act.
Review DPAs periodically: processor sub-processors change, security standards evolve, and DPAs that were compliant when signed may become inadequate.

Referencias legales

GDPR Art. 28 GDPR: processor obligations Derecho de la UE

Salvo indicación en contrario, las referencias remiten al derecho neerlandés (Burgerlijk Wetboek, el Código Civil neerlandés); los instrumentos de la UE como el RGPD se aplican en toda la UE. Se trata de información general, no de asesoramiento legal. Otras jurisdicciones tratan estos conceptos de forma distinta. Verifique el texto vigente y su situación con un abogado cualificado.

Preguntas frecuentes

Preguntas comunes sobre este término.