Skip to content
Contact us
  • There are no suggestions because the search field is empty.

Requirements for data processing agreements

Understand the key requirements and how to maintain control over your data processors.

A Data Processing Agreement (DPA) defines how a data processor handles personal data on behalf of a data controller.

It ensures that processing is clearly defined, controlled, and compliant with GDPR.

This article outlines the key elements a DPA should include, along with how to monitor compliance.

Note: This article reflects general best practices and is not legal advice.

Core elements of a DPA

A DPA must clearly describe:

  • the purpose and nature of the processing
  • the types of personal data involved
  • the categories of data subjects
  • the data controller’s rights and obligations

These elements define the scope of the agreement.

Key requirements

In addition, a DPA should ensure the following:

Processing under instructions

The data processor may only process personal data based on documented instructions from the data controller.

Confidentiality

The data processor must ensure that personal data is handled confidentially.
This may include access controls and confidentiality obligations for employees.

Security measures

The data processor must implement appropriate technical and organizational security measures.

These should be agreed upon and documented to ensure an appropriate level of protection.

Use of subprocessors

The agreement must define how subprocessors can be used.

  • Subprocessors require prior approval (specific or general)
  • The data controller must be informed of changes
  • Subprocessors must meet the same data protection obligations

Support for data subject rights

The data processor must assist the data controller in handling requests such as:

  • access requests
  • deletion requests

Support for compliance obligations

The data processor must support the data controller in meeting GDPR requirements (Articles 32–36), including:

  • notifying data breaches without undue delay

It is often useful to agree on specific timelines for notification.

Data return or deletion

At the end of the agreement, the data processor must:

  • delete personal data, or
  • return it to the data controller

Unless there is a legal obligation to retain it.

Demonstrating compliance

The data processor must be able to demonstrate compliance.

The agreement should allow the data controller to:

  • conduct audits
  • perform inspections if needed

DPAs should be monitored

Having a DPA in place is not enough.

You should also ensure that the agreement is followed in practice.

Monitoring can include:

  • written assessments
  • physical inspections

The frequency and type of review should be based on risk.

For higher-risk processing, more frequent reviews may be needed.

Legal basis

The use of data processors is regulated under Article 28 of the GDPR.

 

Any questions? Contact us at support@cerivo.com!