Data Processing Agreement (DPA)
Also known as: DPA, Article 28 agreement, Processor agreement
A Data Processing Agreement is the contract required by GDPR Article 28 whenever a controller engages a processor to process personal data on its behalf. It must set out the subject matter, duration, nature and purpose of processing, categories of data, controller obligations, and the processor’s commitments on security, confidentiality, sub-processors, and assistance.
What the DPA must contain
Processor obligations: process personal data only on documented controller instructions, keep personnel under confidentiality, implement appropriate security measures, engage sub-processors only with controller authorisation, assist the controller with data subject requests and breach response, delete or return personal data at the end of the engagement, and make available all information necessary to demonstrate compliance and submit to audits.
For international engagements, the DPA also incorporates Standard Contractual Clauses (SCCs) where personal data is transferred outside the EEA without an adequacy decision in place.
Sub-processor mechanics
The DPA must specify whether the controller gives general or specific authorisation for sub-processors. General authorisation requires the processor to notify the controller of any intended additions or changes, giving the controller the opportunity to object. Specific authorisation requires explicit consent for each sub-processor.
Most B2B SaaS DPAs operate on general authorisation, with a maintained sub-processor list and a notice period (commonly 30 days) before any change becomes effective. The list is what enterprise procurement asks for first.
DPA vs Privacy Notice
A DPA is between the controller and the processor. A Privacy Notice is between the controller and the data subject. Different audiences, different artefacts, frequently confused. Adding the DPA text to a Privacy Notice is a category error that satisfies neither obligation.