A data processing agreement, or DPA, is an important document in data protection law that is required in many countries, including the European Union. In practice, a DPA is required when a company (e.g. yours) contracts another company to process personal data on its behalf. This contract sets out the responsibilities and requirements for data processing and data protection. The DPA ensures that both parties comply with data protection regulations and that personal data is processed securely and correctly.
Order processing agreements (OPAs) are very important because they play a central role in data protection. Imagine how carefully you would handle house keys that someone entrusts to you. Similarly, people's personal data must be kept secure and confidential.
Here are the main reasons why order processing contracts are essential:
In summary, the DPA is like a comprehensive plan that ensures that everything is done correctly in terms of data processing. It helps to ensure that laws are respected, people are protected, and business is conducted in an ethical and responsible manner. It is a crucial tool for building trust in the digital world.
A DPA must be concluded between the controller (the own company) and the processor (the service provider) in accordance with Art. 28 paragraph 3 of the GDPR. When creating a DPA you should include the following elements:
If your company uses external service providers for the processing of personal data, it is necessary to arrange a contract for the processing of personal data. This applies, for example, to areas such as payroll accounting, sales, and marketing.
When processing personal data, a distinction must be made as to whether a service provider is bound by instructions or acts independently. Examples of such professional groups would be tax consultants, banks, company doctors, and lawyers. Due to the fact that they are not bound by instructions, there is no need to conclude a contract processing agreement.
"heyData impressed us with their digital software solution and expertise. Like us, heyData is a digital pioneer in a rather traditional and less digital industry. heyData is a strong partner for the BRZ Group."
Head of Customer Service at BRZ Gruppe
"heyData is a great help for us and makes the topic of data protection really easy.We are very satisfied with the digital audit, the online training and the customer support."
CTO & Co-Founder at Hive Technologies GmbH
"I value this feature for its ability to simplify supplier risk assessment.It is an indispensable tool for anyone dealing with data compliance in the European Union and Switzerland."
Head of Legal Affairs at Learnship
"As a customer, we have only had good experiences with heyData's support and communication.Questions were answered in detail, responses were always prompt and personal 1-1 support is also no problem."
Director Of Customer Support at AMBOSS
"It is a flexible solution that could be ideally tailored to our needs. Now everything is always up to date in terms of data protection."
Sales at Frank GmbH
"We always receive competent and prompt advice from heyData and have so far been able to find a satisfactory solution to every question relating to the GDPR or data protection in general."
CTO at Instaffo GmbH
The controller is the person or organisation that determines the purposes and means of data processing. The processor is the person or organisation that processes personal data on behalf of the controller.
A DPA is required whenever a controller transfers personal data to a processor. This applies to services such as cloud storage, IT support, payment processing, and other processing activities for personal data.
Yes, according to Article 28 paragraph 9 of the General Data Protection Regulation, DPAs may be concluded in writing or in electronic form.
The absence of a lawful DPA between controller and processor may constitute a breach of the GDPR and lead to legal consequences, including fines.
The GCU should be stored for as long as the data processing between the controller and processor continues and beyond that for a reasonable period of time to demonstrate compliance with the GDPR.
Yes, but this requires the explicit authorisation of the controller and clear rules on the responsibilities and data protection obligations of the sub-processor.