Reduce GPDR complexity with heyData
Data Processing Agreement (DPA) according to the GDPR
With heyData, you don't have to worry about GDPR-compliant data processing agreements. Whether you want to check existing contracts or create a new DPA, we are here to help you in a professional and uncomplicated way.
Table of contents
- What is a Data Processing Agreement (DPA)?
- Why is a Data Processing Agreement Important?
- What Must a Data Processing Agreement (DPA) Contain?
- When Do I Need a Data Processing Agreement?
- 4 Steps to a Legally Compliant DPA
- Roles in Data Protection – Who is Responsible for What?
- Why heyData is the Ideal Partner for DPAs
What is a Data Processing Agreement (DPA)?
A Data Processing Agreement (DPA) is a legally binding contract that governs the processing of personal data by a third-party provider. It ensures that data is processed securely and responsibly according to the requirements of the GDPR.
Why is a Data Processing Agreement Important?
Fulfillment of Legal Requirements
A DPA is mandatory in the EU and many other countries in accordance with the GDPR. Without this contract, you risk legal consequences and heavy fines.
Clear Responsibilities
The DPA clearly defines the tasks and obligations of the principal and the processor. This creates transparency.
Protecting Those Affected
The contract protects the rights of the individuals whose data is being processed and ensures that their data is treated securely and confidentially.
Strengthen Trust
Having a DPA in place shows that you and your partners take data protection requirements seriously, which builds trust with customers and partners.
Optimizing Risk Management
Should a data protection incident occur, the DPA regulates who is responsible and how quickly measures must be taken to minimize the damage.
Ensure Sustainable Compliance
A DPA is not just a one-time document – it forms the basis for continuous compliance with data protection laws and promotes responsible data processing.
Let's take your DPAs to the next level!
Get started now!What Must a Data Processing Agreement (DPA) Contain?
A DPA must be concluded between the controller (the company itself) and the processor (the service provider) under Art. 28 (3) GDPR. A data processing agreement includes various elements, including:
Type and Purpose of Processing
What data is processed and why? It should be clear what personal data is processed and for what purpose.
Obligations of the Processor
How should the processor handle the data? These obligations may include requirements for security, confidentiality and compliance with the law.
Rights and Duties of the Data Controller
What can and must the client do? This could include the right to monitor the processing, to give instructions and to ensure that the processor complies with the requirements of the applicable data protection law.
Technical and Organizational Measures
How is the data protected? This part should describe the security measures taken to protect the data from loss, misuse, or unauthorized access.
Subprocessor
If the processor commissions other companies, this should be regulated in the processor agreement. It must be clear under which conditions this is permitted.
Rights of the Data Subjects
How are the rights of the individuals whose data is processed protected? The DPA should ensure that their rights, such as the right of access, rectification, and erasure, are respected.
Mandatory Reporting of Violations
What happens if something goes wrong? The DPA should specify how data breaches are to be reported and who is responsible for doing so.
Deletion and Return of Data
What happens at the end of the contract? The DPA should regulate how the data is deleted or returned at the end of the processing.
Supervisory Rights and Obligations
The DPA should also define the controller's rights to monitor the processor's compliance with the contract.
Hear it From Our Customers
"heyData impressed us with their digital software solution and expertise. Like us, heyData is a digital pioneer in a rather traditional and less digital industry. heyData is a strong partner for the BRZ Group."
Markus Schobert
Head of Customer Service at BRZ Gruppe
"heyData is a great help for us and makes the topic of data protection really easy. We are very satisfied with the digital audit, the online training and the customer support."
Leonard von Kleist
CTO & Co-Founder at Hive Technologies GmbH
"I value this feature for its ability to simplify supplier risk assessment. It is an indispensable tool for anyone dealing with data compliance in the European Union and Switzerland."
Jan Stephan
Head of Legal Affairs at Learnship
"As a customer, we have only had good experiences with heyData's support and communication. Questions were answered in detail, responses were always prompt and personal 1-1 support is also no problem."
Roman Georgi
Director Of Customer Support at AMBOSS
“What sets heyData apart is its responsiveness and rapid implementation.”
Sandra Scherzer
Legal department at Bioland
"We always receive competent and prompt advice from heyData and have so far been able to find a satisfactory solution to every question relating to the GDPR or data protection in general."
Nikolai
CTO at Instaffo GmbH
When Do I Need a Data Processing Agreement?
A data processing agreement is required when an external company processes personal data on behalf of another company.
Examples include:
- Using cloud services: If you use Google Drive or Microsoft 365.
- Outsourcing payroll accounting: When external payroll offices take over payroll accounting.
- Using call centers: For customer care or satisfaction surveys.
- Use newsletter services: Tools like Mailchimp for sending newsletters.
- Hire IT service providers: Maintenance and support of IT systems by external service providers.
Processing of Personal Data
The processing of personal data includes handling this data, such as collecting, storing, using or deleting it. According to Article 4 of the GDPR, processing includes, among other things:
- Collecting: data is collected.
- Storing: data is saved and secured.
- Using: data is used to provide services.
- Deleting: data is securely deleted when it is no longer needed.
4 Steps to a Legally Compliant DPA
1
Requirements Analysis
We identify which DPAs are required for your company and check existing contracts for weak points.
2
Creation of the DPAs
Our data protection experts create customized DPA that is fully GDPR compliant.
3
Implementation & Training
Introduction of the DPA in your company, supplemented by training for your team.
4
Ongoing Support
With heyData, you benefit from long-term support and regular updates on changes in the law.
Roles in Data Protection – Who is Responsible for What?
Responsible (Company)
Data Processor (Service Provider)
Data Subject
Decides on the purpose and means of processing
Processes data on behalf of the controller
Provides personal data
Bears the main responsibility for data protection
Must comply with the controller's specification
Has rights such as access, amendment, and deletion
Concludes data processing agreements with service providers
Is regularly reviewed by the controller
Can complain about data protection violations
Ensures that technical and organizational measures are implemented
Implements the measures defined by the responsible person
Expects the data to be processed securely and confidentially
Bears the risk of data breaches
Can also be held liable for violations
Can demand compensation for violations
Example: Online store owner
Example: Hosting provider
Example: Customer of the online shop
Why heyData is the Ideal Partner for DPAs
Personalized Expert Advice
Our specialized lawyers will advise you individually and find the right solution for your company.
Customized DPA Solutions
Each contract is individually tailored to your needs.
Support with the Documentation
We take care of the complete creation and management of your DPAs.
Training for your Team
Awareness-raising and training for your employees on data protection-compliant behavior.
Fast and Easy Implementation
heyData saves you time and hassle – we make sure that everything runs smoothly.
Continuous Updates
Data protection laws change. With heyData, you are always up to date.
Let's make your company GDPR-secure!
Contact us!The controller is the person or organisation that determines the purposes and means of data processing. The processor is the person or organisation that processes personal data on behalf of the controller.
A DPA is required whenever a controller transfers personal data to a processor. This applies to services such as cloud storage, IT support, payment processing, and other processing activities for personal data.
Yes, according to Article 28 paragraph 9 of the General Data Protection Regulation, DPAs may be concluded in writing or in electronic form.
The absence of a lawful DPA between controller and processor may constitute a breach of the GDPR and lead to legal consequences, including fines.
The DPA should be stored for as long as the data processing between the controller and processor continues and beyond that for a reasonable period of time to demonstrate compliance with the GDPR.
Yes, but this requires the explicit authorisation of the controller and clear rules on the responsibilities and data protection obligations of the sub-processor.