DPIA vs DPA: the GDPR documents that are not the same thing
A DPA is a contract between a controller and a processor (Article 28). A DPIA is an internal assessment of a high-risk processing activity (Article 35). Different artefacts, different obligations, frequently confused in procurement.
The DPA: a contract
A Data Processing Agreement is a contract between a controller and a processor. It is required by GDPR Article 28 whenever a controller engages a processor to process personal data. It binds the processor to controller instructions, security measures, sub-processor controls, and assistance obligations. Without a DPA in place, neither party is in compliance.
The DPIA: an assessment
A Data Protection Impact Assessment is an internal risk assessment. Article 35 requires a controller to carry out a DPIA before a processing activity that is "likely to result in a high risk to the rights and freedoms of natural persons." Examples include systematic and extensive profiling, large-scale processing of special categories of data, and systematic monitoring of a publicly accessible area.
The supervisory authority of each member state publishes a list of processing operations that require a DPIA. The European Data Protection Board has published criteria (Guidelines on DPIAs, WP 248).
Why these get confused in procurement
When an enterprise buyer asks for "your DPIA," they almost always mean "your DPA". The acronyms sound alike, and procurement teams often inherit the request from a checklist. The same buyer will sometimes ask for both, in which case the DPIA they want is the DPIA you (the controller) ran on your own processing of their data, not a DPIA on their processing of your data.
When in doubt, ask: which artefact do you actually need? If the answer is "the contract between us governing processing of our customers’ personal data," that is the DPA. If the answer is "your internal risk assessment of high-risk processing activities," that is the DPIA.
Quick reference
- DPA. Contract. Article 28. Between controller and processor. Required whenever a processor is engaged.
- DPIA. Assessment. Article 35. Internal document of the controller. Required before high-risk processing.
- DPA is signed; DPIA is documented and retained.
- A processor sees the DPA it has signed. A processor never sees the controller’s DPIA on the controller’s own processing.