Data Processing Agreement

Where a data processor handles personal data on behalf of a data controller, a written data processing agreement (DPA) is required by the GDPR. Without one, the data controller is in breach and risks enforcement action, including fines of up to EUR 20,000,000 or 4% of global annual turnover. A DPA also protects the data controller if the processor mishandles data or causes a breach. We draft, review, and advise on data processing agreements, making sure roles, security obligations, and liability positions are clearly defined.