Data Processing Agreements (DPAs): who, when, and don't overcomplicate it
Every SaaS that processes personal data on your behalf needs a DPA. Most vendors already have one ready on their website. Here's a quick checklist so you don't end up with 40 stray PDFs a year from now.
A Data Processing Agreement (DPA) is mandatory between you (the data controller) and every vendor that processes personal data on your behalf.
\n \nWho do you need a DPA with?
\n-
\n
- Your accounting software (processes customer and employee data). \n
- Your CRM. \n
- Your HR system. \n
- Your email marketing platform (MailChimp, Mailerlite, ActiveCampaign). \n
- Your hosting and cloud storage (M365, Google Workspace, AWS). \n
- Your CDN / security provider (Cloudflare). \n
- Your customer support tool (Intercom, Zendesk, Help Scout). \n
- Your accountancy firm (if they process your data). \n
Who do you NOT need a DPA with?
\n-
\n
- Your internet provider (they are not a data processor). \n
- Your telephone provider. \n
- Your payment provider (a bank acts as a "third controller", not a processor). \n
What goes into a DPA?
\nMost major vendors have a pre-drafted DPA available online. Download it and sign it digitally. Key contents:
\n-
\n
- Purpose and duration of processing. \n
- Categories of data and data subjects. \n
- Security measures implemented by the vendor. \n
- Sub-processors (which AWS region, which third parties). \n
- Breach notification obligations. \n
- Assistance with data subject rights requests. \n
Record-keeping
\nStore all DPAs in a single folder, noting the signing date and version. When switching vendors: put a DPA in place with the new party, and keep the old one in your archive for the applicable retention period.
\n \nSee also: GDPR pillar, sub-processors outside the EU.
Volledige gids: Cumplimiento GDPR para pymes: el mínimo práctico
Dit artikel is onderdeel van onze uitgebreide AVG & privacy-gids. Lees de pillar voor het complete plaatje.
Lees de pillar →