← Full glossary
Data processing agreement (DPA)
The written agreement that Article 28 of the GDPR requires between a controller and a processor. It must define the subject matter and duration of the processing, the types of data, the processor's obligations, security requirements, rules for sub-processors, and assistance with data breaches and access requests. Without a valid DPA it is unlawful to let a vendor process personal data on the company's behalf. The Danish Data Protection Agency has published a standard template that many SMEs use as a starting point.
Related module