Data Processing Agreement (DPA)
Jump to navigation
Jump to search
A Data Processing Agreement (DPA) is a confidentiality agreement between a data controller and a data processor.
- Example(s):
- Counter-Example(s):
- See: Cloud Services Agreement.
References
2023
- GBard
- A data processing agreement (DPA) is a legally binding contract between a data controller and a data processor. It sets out the rights and obligations of each party with respect to the processing of personal data.
A data controller is the entity that determines the purposes and means of processing personal data. A data processor is an entity that processes personal data on behalf of a data controller.
DPAs are required by law in many jurisdictions, including the European Union under the General Data Protection Regulation (GDPR). They are also a good business practice, as they help to protect both the data controller and the data processor from legal liability.
- A DPA should typically include the following provisions:
- The scope of the processing: What types of personal data will be processed? For what purposes?
- The security measures that will be implemented to protect the personal data
- The rights of the data controller and the data processor, including the right to audit the processing and to have the personal data deleted
- The process for handling data breaches
- A data processing agreement (DPA) is a legally binding contract between a data controller and a data processor. It sets out the rights and obligations of each party with respect to the processing of personal data.