Processing Agreement

A legally binding contract between a data controller and data processor that governs how personal data will be processed on behalf of the controller, specifying the scope, nature, purpose, duration, type of data, and obligations of each party. Also called a Data Processing Agreement (DPA) or Data Processing Addendum, this agreement is mandatory under GDPR Article 28(3) whenever a controller engages a processor. The agreement must address: subject matter and duration of processing, nature and purpose of processing, type of personal data and categories of data subjects, controller's and processor's obligations and rights, security measures, sub-processor requirements and approval processes, assistance with data subject rights requests, assistance with security incidents and DPIAs, data deletion or return after services end, audit rights, and notification of breach obligations. The agreement ensures processors only process data according to documented instructions and protects controllers by establishing clear contractual obligations. Without a compliant processing agreement, both parties may face regulatory enforcement.