The Data Processing Agreement, or DPA for short, is a legally binding contract between a business and a third party data processor, meant to regulate data privacy in regards to GDPR compliance.
What is the Data Processing Agreement (DPA)?
Any business that has an online presence relies on third parties to function properly. Those third parties can be anything from an email provider to a website analytics tool or a chat tool, etc; basically, any tool that processes the user’s personal data.
A Data Processing Agreement needs to be signed between that business (Controller) and each third party (Processor) making sure that the data is stored properly and is not being misused, sold, or vulnerable to attacks. This is one of the most basic steps toward being GDPR compliant.
The majority of these third-party tools make DPAs available on their websites to be downloaded and signed. For example here is the Visitor Analytics DPA: https://www.visitor-analytics.io/en/support/legal-data-privacy-certificates/standard-integration/data-processing-agreement-cookie-information/. The signed DPA can usually also be requested via email.
In case you need to create your own data processing agreement, the official template can be downloaded from https://gdpr.eu/data-processing-agreement/. Any organizations may use this document in order to be GDPR compliant and to avoid expensive fines.
The Data Processing Agreement applies to businesses that store and/or process data from the European Union and addresses the following issues in regards to the Processor:
- adequate information security must be in place;
- no sub Processors are allowed to use the data without the consent of the Controller;
- cooperation with the Data Protection Authorities must be provided when necessary;
- data breaches must be reported immediately to the Controller;
- records of all processing activities must be kept;
- compliance with EU data transfer rules ;
- assistance for the Controller when managing possible data breaches.
More elaborated information regarding this can be found here: https://gdpr.eu/article-28-processor/.