Law and standards
Data processing agreement (DPA)
What is a data processing agreement?
A data processing agreement (DPA) is the contract required by Article 28 GDPR wherever a provider processes personal data on behalf of, and on the instructions of, a company. Typical cases are cloud storage, an external IT firm with remote access, or payroll software run in the cloud.
A processor is any provider that handles personal data on the instructions of another business. Common examples include the cloud storage holding customer records, the external IT firm with remote access, the web host, the data centre where backups are kept, the newsletter delivery service and cloud-based payroll software. Responsibility towards the individuals concerned stays with the commissioning business.
Article 28 sets out the minimum content of the contract. It covers the subject matter and duration of the processing, its nature and purpose, the types of data and the categories of individuals, the obligation to act only on documented instructions, the confidentiality of the staff involved, the security measures required by Article 32, the conditions for engaging sub-processors, meaning the provider's own suppliers, assistance with data subject rights and notification duties, deletion or return of the data once the service ends, and the provision of evidence and audits.
Choosing the provider is itself a legal duty. Article 28(1) requires sufficient guarantees that the processing will meet the requirements of the Regulation. In practice this means obtaining a description of the technical and organisational measures, asking for certificates or audit reports, and clarifying which sub-processors are involved and where the data is stored. Where servers sit outside the EU and the EEA, a transfer mechanism under Chapter V is needed as well, usually the standard contractual clauses, which are contract texts issued by the European Commission.
The need for action shows up where a complete list of the services in use is missing. A sensible first step is to compile every service and every person with access to company data, including remote support tools, the accounting cloud, appointment booking, the backup provider and the agency that maintains the website. For each entry, ask whether a processing agreement exists and whether it addresses the points in Article 28.
Entries that are easily overlooked in such a list are the ones nobody deliberately introduced, such as a remote access tool left on a workshop computer or a private cloud account used to exchange files with a supplier. The IT-Check reveals such access paths and data flows and thereby supplies the basis for a complete record of processing activities under Article 30.
IT-Check: make access paths and providers visible Overview of law and standards
All terms in the knowledge base
Note: This entry reflects the state of knowledge to the best of our understanding and serves as general orientation. It is not legal advice. What counts is always the version currently in force at the responsible body, for example dsb.gv.at, nis.gv.at or enisa.europa.eu.
From the term to practice
Where does your business actually stand?
The IT Check reviews your IT across 8 audit areas with more than 100 individual checks and delivers documented findings with a prioritised action plan. From 1,299 € excl. VAT. The first call takes 20 minutes and carries no charge.