Under the General Data Protection Regulation (GDPR), organizations that process personal data on behalf of others must establish Data Processing Agreements (DPAs). Article 28 mandates specific contractual provisions between data controllers and data processors.
Required DPA Elements
A compliant DPA must include:
- Subject matter and duration of processing
- Nature and purpose of processing
- Types of personal data and categories of data subjects
- Obligations and rights of the controller
- Technical and organizational security measures
- Sub-processor engagement terms and approval process
- Data deletion or return upon contract termination
- Audit rights for the controller
Common Pitfalls
- Failing to update DPAs when processing activities change
- Not maintaining a register of sub-processors
- Inadequate breach notification clauses (must enable 72-hour notification)
- Missing international transfer mechanisms (SCCs, adequacy decisions)
Best Practices
- Review and update DPAs annually
- Implement a sub-processor management program
- Include clear data retention and deletion schedules
- Ensure DPA terms flow down to sub-processors