Data Processing Agreement (DPA)
A legally binding contract between a data controller and data processor that governs the processing of personal data. Required by GDPR Article 28, a DPA specifies the scope, purpose, and duration of processing, as well as the obligations of each party.
A Data Processing Agreement (DPA) is a mandatory contractual document under GDPR that regulates the relationship between a data controller (the organization that determines the purposes and means of processing) and a data processor (the entity that processes data on the controller's behalf). The DPA must be in writing and include specific provisions required by GDPR Article 28.
Key provisions that must be included in a DPA are the subject matter and duration of processing, the nature and purpose of processing, the types of personal data and categories of data subjects, the obligations of the processor (including confidentiality, security measures, sub-processor management, data subject rights support, deletion/return of data, and cooperation with audits), and the controller's instructions for processing.
For organizations subject to both GDPR and DORA, the DPA requirements intersect with DORA's ICT third-party contractual provisions. DORA Article 30 specifies additional contractual elements for ICT services including security requirements, data location, audit rights, exit strategies, and performance monitoring — many of which complement and extend the DPA requirements.
Learn More
Discover how Matproof can help you achieve Data Processing Agreement (DPA) compliance.
View framework pageRelated Terms
GDPR (General Data Protection Regulation)
The EU regulation governing the processing of personal data of individuals within the European Economic Area. GDPR establishes strict rules for data collection, storage, processing, and transfer, with penalties of up to 4% of annual global turnover for violations.
Data Protection Officer (DPO)
A designated role within an organization responsible for overseeing data protection strategy and GDPR compliance. Under GDPR, certain organizations are required to appoint a DPO, particularly public bodies and organizations that process sensitive data at scale.
Third-Party Risk Management
The process of identifying, assessing, and controlling risks arising from outsourcing to third-party service providers. Under DORA Article 28, financial entities must maintain a register of all ICT third-party providers and conduct thorough due diligence on critical providers.
Automate compliance with Matproof
DORA, SOC 2, ISO 27001 — get audit-ready in weeks, not months.
Request a demo