Data Processing Agreement (DPA)

IT•IP

A DPA is required under the GDPR if a service provider processes personal data on behalf of a company. The contract defines the framework conditions for data processing and protects the rights of the data subjects.

Typical cases where companies need a DPA is when outsourcing. If you use a cloud service provider or an external service for your payroll accounting, a DPA should be concluded. Conversely, if you offer your customers a service where you process personal data on their behalf, you should conclude your own DPA with your terms and conditions.