Data Processing Agreement (DPA)
A legally binding contract between a data controller and a data processor that governs how personal data is handled.
A Data Processing Agreement (DPA) is a mandatory contract required under GDPR Article 28 whenever a business (data controller) shares personal data with a third-party vendor (data processor). It defines the scope, purpose, duration, and nature of the data processing activity.
A DPA must specify what categories of personal data are processed, the rights and obligations of both parties, security measures in place, and subprocessor restrictions. Without a valid DPA, transferring personal data to processors like cloud providers, analytics tools, or email platforms constitutes a GDPR violation.
Common examples of relationships requiring a DPA include: SaaS companies using AWS or Google Cloud, e-commerce stores using Stripe for payment processing, and businesses using email marketing platforms.
Générez une politique GDPR Art. 28 en 60 secondes
Notre IA rédige des politiques de confidentialité, des conditions d'utilisation et des politiques de cookies qui couvrent les exigences GDPR Art. 28 — adaptées à votre entreprise.