Regulatory
Data protection
DPA
4 min
⚡tl;dr a dpa governs the relationship between the controller and the processor under the gdpr, a dpa is required with each processor under the fadp, a contractual clause is sufficient generate a free https //bridge lexr com/run/dpa/#/10 on our website book a https //www lexr com/en ch/ with us what is it? a data processing agreement (dpa) is an agreement between the controller and the processor regarding the data processing that is delegated by the controller to the processor what does it include? it includes the purposes of the data processing, the duration of the processing, the categories of personal data processed, the categories of data subjects, and whether or not sub processing is authorized in a dpa, the processor also agrees to process data only on written instructions from the controller, to implement appropriate technical and organizational measures, and to notify the controller within a given deadline (usually 24 hours) in case of docid\ z86rgivhiur7udpxzeqlu the dpa might refer to an underlying contractual relationship (e g , the agreement between the company and the hosting provider, who is a processor) when do i need a dpa? under the gdpr , data controllers must sign a dpa with every third party who acts as a processor on their behalf not complying with this obligation can lead to gdpr fines when having a dpa as a data processor, make sure to review the technical, organizational measures ( toms ) and ensure that they are in line with your practices as a process under the fadp , a formal separate dpa is not required however, the controller must still have a sufficient contractual clause related to the data processed by the processor this could be part of the underlying agreement between the companies best practices gdpr third party processing if third parties process personal data on behalf of the company and gdpr applies, a dpa is concluded with each third party a standard dpa can be generated https //bridge lexr com/run/dpa/#/1 fapd third party processing if third parties process personal data on behalf of the company and fadp applies, the standard fadp clause below is implemented in all contracts abc (processor) processes personal data of xyz (controller) exclusively in accordance with the instructions by the controller and insofar as this is necessary for the fulfillment of his contractual obligations the processor shall implement appropriate technical and organizational measures to ensure the security of the personal data the processor shall not subcontract any of its processing activities carried out on behalf of the controller under this agreement to a sub processor without prior consent breaches of the security of personal data shall be reported by the processor as soon as possible to the controller, within 24 hours at the latest what if one of the parties is abroad? if one of the parties is located in a third country (i e , outside of eu, eea, and switzerland), you must comply with the requirements for third countries transfers if the country is recognized by the https //commission europa eu/law/law topic/data protection/international dimension data protection/adequacy decisions en or the https //www edoeb admin ch/edoeb/en/home/datenschutz/arbeit wirtschaft/datenuebermittlung ausland html , no additional measures must be taken if needed, the most common way to comply is to include the https //eur lex europa eu/eli/dec impl/2021/914/oj as an annex to your agreement best practices it is clear where personal data is actually processed and, if outside of the eu/ch, adequate measures are taken what about joint controllership? if you're processing personal data as a joint controller under the gdpr, all joint controllers must define their responsibilities, especially with regard to which controller is responsible for dealing with the data subjects' rights, and to determine which toms should be implemented by all joint controllers this can be made in a separate contract or in an existing one how do i get this done? check out our free dpa generator https //bridge lexr com/run/dpa/#/1 book a free call https //www lexr com/en ch/generators/ if you have any questions