Data processing agreement (DPA)
A GDPR-required contract governing how a processor handles personal data for a controller.
Definition
A data processing agreement (DPA) is the contract the GDPR requires whenever a processor handles personal data on behalf of a controller. It must set out the subject matter, duration, nature and purpose of processing, the types of data and data subjects, and the processor's obligations on security, sub-processors, and assistance. Article 28 GDPR lists the mandatory contents, and in the Netherlands the AVG and Uitvoeringswet AVG apply.
Example
A company using a cloud payroll provider signs a DPA setting security measures, breach-notification timelines, and limits on sub-processors.
Why this is a business risk
Operating without a DPA when one is required is itself a GDPR violation, independent of any data breach. Regulators have fined controllers for failing to have adequate processor agreements. Beyond compliance, a weak DPA may leave you without contractual recourse if your processor causes a data breach or misuses the data you entrusted to them.
How to manage it
- Identify every supplier that processes personal data on your behalf and ensure a DPA is in place before they start processing.
- Check that the DPA lists all approved sub-processors and requires the processor to notify you before adding new ones.
- Include breach-notification timelines in the DPA that are shorter than your 72-hour regulatory deadline, so you have time to act.
- Review DPAs periodically: processor sub-processors change, security standards evolve, and DPAs that were compliant when signed may become inadequate.
Legal references
Unless marked otherwise, references are to Dutch law (Burgerlijk Wetboek, the Dutch Civil Code); EU instruments such as the GDPR apply across the EU. This is general information, not legal advice. Other jurisdictions treat these concepts differently. Verify the current text and your situation with a qualified lawyer.
Frequently asked questions
Common questions about this term.