A DPA (Data Processing Agreement), i.e. a data processing contract, is the contractual document required by Article 28 of the GDPR whenever a data controller entrusts the processing of personal data to a processor (for example a SaaS software vendor, a hosting provider or a service provider).
The DPA gives this relationship a legal framework. Article 28(3) requires it to set out the subject matter, the duration, the nature and purpose of the processing, the type of data and the categories of data subjects, as well as the obligations of each party. In particular, the processor undertakes to process the data only on documented instructions from the controller, to ensure confidentiality, to implement security measures (Article 32), to engage a sub-processor only with authorization, to assist the controller with data subjects' rights and to delete or return the data at the end of the service.
In practice, any serious digital service provider makes a DPA available to its customers: it is a cornerstone of compliance and a point to watch when choosing a tool. It formalizes the chain of accountability between the client and its provider, and goes hand in hand with the possible appointment of a data protection officer (DPO).