DPA

⚡tl;dr a dpa governs the relationship between the controller and the processor under the gdpr, a dpa is required with each processor under the fadp, a contractual clause is sufficient generate a free dpa on our website book a free call with us what is it? a data processing agreement (dpa) is an agreement between the controller and the processor regarding the data processing that is delegated by the controller to the processor what does it include? it includes the purposes of the data processing, the duration of the processing, the categories of personal data processed, the categories of data subjects, and whether or not sub processing is authorized in a dpa, the processor also agrees to process data only on written instructions from the controller, to implement appropriate technical and organizational measures, and to notify the controller within a given deadline (usually 24 hours) in case of data breaches docid\ z86rgivhiur7udpxzeqlu the dpa might refer to an underlying contractual relationship (e g , the agreement between the company and the hosting provider, who is a processor) when do i need a dpa? under the gdpr , data controllers must sign a dpa with every third party who acts as a processor on their behalf not complying with this obligation can lead to gdpr fines when having a dpa as a data processor, make sure to review the technical, organizational measures ( toms ) and ensure that they are in line with your practices as a process under the fadp , a formal separate dpa is not required however, the controller must still have a sufficient contractual clause related to the data processed by the processor this could be part of the underlying agreement between the companies best practices gdpr third party processing if third parties process personal data on behalf of the company and gdpr applies, a dpa is concluded with each third party a standard dpa can be generated here fapd third party processing if third parties process personal data on behalf of the company and fadp applies, the standard fadp clause below is implemented in all contracts abc (processor) processes personal data of xyz (controller) exclusively in accordance with the instructions by the controller and insofar as this is necessary for the fulfillment of his contractual obligations the processor shall implement appropriate technical and organizational measures to ensure the security of the personal data the processor shall not subcontract any of its processing activities carried out on behalf of the controller under this agreement to a sub processor without prior consent breaches of the security of personal data shall be reported by the processor as soon as possible to the controller, within 24 hours at the latest what if one of the parties is abroad? if one of the parties is located in a third country (i e , outside of eu, eea, and switzerland), you must comply with the requirements for third countries transfers if the country is recognized by the eu commission or the federal council , no additional measures must be taken if needed, the most common way to comply is to include the eu commission standard contractual clauses (scc) as an annex to your agreement best practices it is clear where personal data is actually processed and, if outside of the eu/ch, adequate measures are taken what about joint controllership? if you're processing personal data as a joint controller under the gdpr, all joint controllers must define their responsibilities, especially with regard to which controller is responsible for dealing with the data subjects' rights, and to determine which toms should be implemented by all joint controllers this can be made in a separate contract or in an existing one how do i get this done? check out our free dpa generator here book a free call here if you have any questions