Data Processing Agreement (DPA) - heyData

Reduce GDPR complexity with heyData

Data processing agreement (DPA)

You no longer have to worry about GDPR-compliant data processing agreements. We are at your side, professional and uncomplicated.

  • check Consultation with specialised lawyers
  • check Support with all compliance-related topics, documentation, staff training, etc.
  • check An offer tailored to your specific needs

What is a data processing agreement (DPA)?

A data processing agreement, or DPA, is an important document in data protection law that is required in many countries, including the European Union. In practice, a DPA is required when a company (e.g. yours) contracts another company to process personal data on its behalf. This contract sets out the responsibilities and requirements for data processing and data protection. The DPA ensures that both parties comply with data protection regulations and that personal data is processed securely and correctly.

Why are data processing agreements so important?

Order processing agreements (OPAs) are very important because they play a central role in data protection. Imagine how carefully you would handle house keys that someone entrusts to you. Similarly, people's personal data must be kept secure and confidential.

Here are the main reasons why order processing contracts are essential:

  1. Legal compliance: in the European Union and many other countries, an AVV is required by law. Without this contract, you can be in breach of both national data protection laws and the General Data Protection Regulation (GDPR) at EU level, which can lead to penalties.
  2. Clear responsibilities: The DPA sets out exactly who is responsible for what. The DPA specifies how data is to be processed and protected.
  3. Protection of data subjects: The DPA helps to protect the rights of individuals whose data is being processed and to ensure that their information is not misused or mismanaged.
  4. Building trust: When companies entrust their data to another party, they want to be sure that everything is in order. The DPA is like a handshake that builds trust and shows that both parties understand and follow the rules.
  5. Risk management: If something goes wrong (for example, a data breach), the DPA specifies who is responsible and how to handle the situation. It's like a contingency plan that ensures everything runs as smoothly as possible, even if problems arise.

In summary, the DPA is like a comprehensive plan that ensures that everything is done correctly in terms of data processing. It helps to ensure that laws are respected, people are protected, and business is conducted in an ethical and responsible manner. It is a crucial tool for building trust in the digital world.

What must a data processing agreement (DPA) include?

A DPA must be concluded between the controller (the own company) and the processor (the service provider) in accordance with Art. 28 paragraph 3 of the GDPR. When creating a DPA you should include the following elements:

  1. The nature and purpose of the processing: what data is being processed and why? It should be clear which personal data are processed and for what purpose.
  2. Processor obligations: How should the processor handle the data? These obligations may include requirements for security, confidentiality, and compliance with the law.
  3. Rights and obligations of the controller: What may and must the principal do? This could include the right to monitor processing, give instructions, and ensure that the processor complies with the requirements of applicable data protection law.
  4. Technical and organisational measures: How will the data be protected? This part should describe the security measures taken to protect the data from loss, misuse, or unauthorised access.
  5. Sub-processors: If the processor subcontracts to other companies, the DPA should regulate this. It must be clear under what conditions this is allowed.
  6. Rights of data subjects: How are the rights of the people whose data are processed protected? The DPA should ensure that their rights, such as the right of access, rectification, and erasure, are respected.
  7. Obligation to report breaches: What happens if something goes wrong? The DPA should specify how data breaches are to be reported and who is responsible for them.
  8. Deletion and return of data: What happens at the end of the contract? The DPA should regulate how data is deleted or returned at the end of processing.
  9. Monitoring rights and obligations: The DPA should also specify the rights of the controller to monitor the processor's compliance with the contract.

Who needs a data protection agreement?

If your company uses external service providers for the processing of personal data, it is necessary to arrange a contract for the processing of personal data. This applies, for example, to areas such as payroll accounting, sales, and marketing.

When processing personal data, a distinction must be made as to whether a service provider is bound by instructions or acts independently. Examples of such professional groups would be tax consultants, banks, company doctors, and lawyers. Due to the fact that they are not bound by instructions, there is no need to conclude a contract processing agreement.

heyData – your partner to become GDPR compliant!

  • The expertise of our experts: Our team of specialised lawyers knows the needs of each field and can give you the best advice.
  • Time-saving: Instead of struggling through the jungle of paragraphs and laws, heyData manages in a few weeks everything that could take months.
  • Continuous support: With heyData at your side, you always have a contact person for all questions regarding data protection.
  • Individual solutions: Every company is unique - we offer tailor-made solutions for your individual requirements.

Kontaktiere heyData jetzt und lass uns deinen AVV unkompliziert klären!

The controller is the person or organisation that determines the purposes and means of data processing. The processor is the person or organisation that processes personal data on behalf of the controller.

A DPA is required whenever a controller transfers personal data to a processor. This applies to services such as cloud storage, IT support, payment processing, and other processing activities for personal data.

Yes, according to Article 28 paragraph 9 of the General Data Protection Regulation, DPAs may be concluded in writing or in electronic form.

The absence of a lawful DPA between controller and processor may constitute a breach of the GDPR and lead to legal consequences, including fines.

The GCU should be stored for as long as the data processing between the controller and processor continues and beyond that for a reasonable period of time to demonstrate compliance with the GDPR.

Yes, but this requires the explicit authorisation of the controller and clear rules on the responsibilities and data protection obligations of the sub-processor.