Data Processing Agreement

Definition

A Data Processing Agreement (DPA) is the contract required under Article 28 of the GDPR between a data controller (the Irish SME) and any processor that handles personal data on the controller's behalf (most SaaS providers). The contract must cover the subject matter and duration of processing, the nature and purpose of processing, the categories of personal data and data subjects, the controller's obligations and rights, and a defined list of processor obligations: confidentiality, security measures (Article 32), use of sub-processors only with prior authorisation, assistance with data subject rights, breach notification, return or deletion of data on termination, and audit rights. A processor that engages a sub-processor (e.g. AWS, GCP, Azure, Twilio) must impose the same data protection obligations on it via a back-to-back contract. Under Irish and EU practice, the DPA is usually signed by accepting the SaaS provider's standard terms or by countersigning a downloadable PDF. A DPA is separate from the main service contract but typically cross-references it. Without an Article 28 DPA in place, the use of any third-party processor for personal data is a GDPR breach by the controller.

Why it matters for software choice

If a vendor cannot produce a current GDPR-compliant DPA on request, the Irish SME using them is technically in breach of GDPR Article 28. Software that publishes a click-through DPA on its website, names sub-processors transparently, and notifies of sub-processor changes is materially easier to defend in a DPC inquiry.

Authority sources

• GDPR Article 28: Processor (gdpr-info.eu)
• DPC: Contracts (www.dataprotection.ie)

Software categories this affects

Vendors covered by this term

Related terms