When is a data processing agreement mandatory?

Whenever one party (a processor) processes personal data on the instructions of another (the controller), Article 28 GDPR requires a written DPA covering the listed minimum terms.

What must a DPA contain under Article 28 GDPR?

Subject matter, duration, nature and purpose of processing, type of personal data, categories of data subjects, and the obligations of the processor including security, sub-processor approval, assistance to the controller, and deletion or return of data at end of service.

Can a supplier refuse to sign a DPA?

A supplier acting as a processor is legally required to sign one. If they refuse, engaging them would put you in breach of GDPR. You should either find an alternative supplier or document why the arrangement falls outside the controller-processor relationship.

Is a standard contractual clause (SCC) the same as a DPA?

No. SCCs are the mechanism for lawful transfer of personal data outside the EEA. A DPA governs the processor relationship. Both may be needed: a DPA for the processing relationship and SCCs for the international data transfer.

Who is liable if a sub-processor causes a data breach?

The processor is fully liable to the controller as if it had caused the breach itself, unless it can show the sub-processor was at fault and it had met its own GDPR obligations. The controller remains liable to data subjects.

Data processing agreement (DPA)

A GDPR-required contract governing how a processor handles personal data for a controller.

Definizione

A data processing agreement (DPA) is the contract the GDPR requires whenever a processor handles personal data on behalf of a controller. It must set out the subject matter, duration, nature and purpose of processing, the types of data and data subjects, and the processor's obligations on security, sub-processors, and assistance. Article 28 GDPR lists the mandatory contents, and in the Netherlands the AVG and Uitvoeringswet AVG apply.

Esempio

A company using a cloud payroll provider signs a DPA setting security measures, breach-notification timelines, and limits on sub-processors.

Perché rappresenta un rischio aziendale

Operating without a DPA when one is required is itself a GDPR violation, independent of any data breach. Regulators have fined controllers for failing to have adequate processor agreements. Beyond compliance, a weak DPA may leave you without contractual recourse if your processor causes a data breach or misuses the data you entrusted to them.

Come gestirlo

Identify every supplier that processes personal data on your behalf and ensure a DPA is in place before they start processing.
Check that the DPA lists all approved sub-processors and requires the processor to notify you before adding new ones.
Include breach-notification timelines in the DPA that are shorter than your 72-hour regulatory deadline, so you have time to act.
Review DPAs periodically: processor sub-processors change, security standards evolve, and DPAs that were compliant when signed may become inadequate.

Riferimenti normativi

GDPR Art. 28 GDPR: processor obligations Diritto UE

Salvo diversa indicazione, i riferimenti riguardano il diritto olandese (Burgerlijk Wetboek, il Codice Civile olandese); gli strumenti UE come il GDPR si applicano in tutta l'UE. Si tratta di informazioni generali, non di consulenza legale. Altre giurisdizioni trattano questi concetti in modo diverso. Verifichi il testo vigente e la propria situazione con un avvocato qualificato.

Domande frequenti

Domande comuni su questo termine.