A Data Processing Agreement (or ‘DPA’) is an agreement which confirms the terms on which one party (the ‘processor’) processes personal data provided or made available by another party (the ‘controller’)
Examples of data processing include arrangements where an organisation provides details of its employees and their remuneration packages to a payroll services provider, or provides lists of its clients’ and stakeholders’ email addresses to an email marketing platform, or uploads its business data to a hosted data storage provider.
In addition to being the right thing to do commercially, Art 28(3) of the GDPR (now incorporated into UK law, as amended) requires the controller and processor to enter into a contract (being the DPA) which sets out:
- the subject-matter and duration of the processing
- the nature and purpose of the processing
- the type of personal data and categories of data subjects
- the obligations and rights of the controller
and which also stipulates the specific processor obligations listed in paragraphs (a) – (h) of Art 28(3).
If a processor then engages its own processor (a ‘sub-processor’), Art 28(4) of the GDPR requires the processor to enter into a DPA with the sub-processor which imposes on the sub-processor the same data protection obligations as are set out in the DPA entered into under Art 28(3). Note that the parties, although technically both processors, are normally still referred to as ‘controller’ and ‘processor’ in the DPA.