Continue your mission
Legally binding contracts required under GDPR Article 28 defining processing scope, security obligations, and rights between data controllers and processors.
GDPR Data Processing Agreements (DPAs) are legally binding contracts required under GDPR Article 28 between data controllers and data processors that define the scope, nature, and purpose of data processing, along with the obligations and rights of each party. DPAs ensure that processors handle personal data only on documented instructions from controllers and implement appropriate security measures.
A GDPR-compliant DPA must include specific mandatory provisions: the subject matter and duration of processing, the nature and purpose of processing, the types of personal data and categories of data subjects, the controller's obligations and rights, documented processing instructions, confidentiality commitments, security measures per Article 32, sub-processor management including prior authorization and flow-down obligations, assistance with data subject rights and breach notification, data return or deletion upon contract termination, audit rights, and evidence of compliance. DPAs must be in writing (including electronic form) and are typically annexed to the main service agreement. Organizations acting as both controller and processor for different data sets may require bidirectional DPAs. Sub-processor chains require the primary processor to impose equivalent DPA obligations on all sub-processors, creating contractual cascades that extend GDPR protections through entire supply chains.
Processing personal data without a valid DPA is itself a GDPR violation carrying fines up to 10 million euros or 2% of global revenue. DPAs are the contractual mechanism through which controllers extend their GDPR obligations to every third party that touches personal data. Without DPAs, organizations have no contractual basis to require processors to implement security measures, report breaches, or assist with data subject requests. The complexity of modern SaaS supply chains means organizations may need hundreds of DPAs, each requiring review and management.
CDA addresses DPA management within the Data Protection and Sovereignty domain as a C-BUILD deliverable. Our missions provide DPA templates aligned with EDPB guidance, establish processor inventory and DPA tracking systems, implement sub-processor monitoring workflows, and conduct DPA gap assessments to identify missing or non-compliant agreements.
CDA Theater missions that address topics covered in this article.
Technical requirements for complying with California's privacy laws, including data mapping, consumer rights, and security obligations.
The CCPA is California's landmark privacy law granting consumers rights over their personal data and imposing obligations on businesses that collect it.
Written by CDA Editorial
Found an issue? Help improve this article.