What is Data Processing Agreement (DPA)?

A Data Processing Agreement (DPA) is the written contract required by GDPR Article 28(3) between a controller and a processor. It sets out the subject matter, duration, nature and purpose of the processing, the types of personal data and data subjects, and the processor's obligations to act only on documented instructions and protect the data.

Whenever a controller uses a vendor to process personal data on its behalf, Article 28 requires a DPA before that processing begins — it is not optional. The contract must impose specific duties on the processor: confidentiality, appropriate security, assistance with data-subject rights and breach notification, restrictions on sub-processors, and deletion or return of data at the end of the engagement.

For example, a clinic using a cloud booking system needs a DPA committing that vendor to handle patient contact data only as instructed and to help with access requests and breaches. Note the acronym clash: in the UK, "DPA" also commonly means the Data Protection Act 2018, so spell it out in contracts. The HIPAA equivalent of this controller–processor contract is the Business Associate Agreement.

A processor/DPA checklist and template clauses let you paper these relationships quickly and consistently across your vendor stack. The agreement evidences and allocates responsibility — but real protection comes from choosing competent processors and confirming they actually meet the commitments.

Related terms: Data Controller vs Data Processor · Vendor Risk Management · Business Associate Agreement (BAA) · Records of Processing Activities (RoPA)

Frequently asked questions

When is a Data Processing Agreement required?
Whenever a controller engages a processor to handle personal data on its behalf. Article 28(3) makes a written DPA mandatory before that processing starts — for example with cloud, payroll, email or CRM vendors.
How is a DPA different from a Business Associate Agreement?
Both bind a service provider to protect data, but a DPA is a GDPR Article 28 controller–processor contract for personal data, while a Business Associate Agreement is the HIPAA contract governing protected health information in the US.
Does "DPA" always mean Data Processing Agreement?
No — in the UK it often means the Data Protection Act 2018, the national law that sits alongside the UK GDPR. Spell the term out in contracts to avoid confusion.

Toolkits that cover Data Processing Agreement (DPA)

EU GDPR

GDPR Compliance Pack for Small Business

14 editable GDPR documents — privacy notices, DSAR procedure, DPIA, breach response, processor DPA checklist — plus a pre-filled Records of Processing Activities (Art. 30) workbook and evidence checklist.

$7930% off with codeView toolkit

Learn more in our GDPR guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.