What Is a GDPR DPA?

Lawrence Bonk Profile image

Written by:

Updated January 6, 2023

If you are new to online privacy, you may wonder what a GDPR DPA is. After all, many of the best websites and online shopping platforms have adopted various practices that impact consumer privacy, which is where the GDPR and its suite of consumer protections come into play. So what is the GDPR, what is a DPA, and how do these laws help average consumers? Keep reading to find out.


  • The General Data Protection Regulation, or GDPR, is a suite of consumer privacy laws for EU citizens with sufficient guarantees of a supervisory authority and protection authorities.
  • DPA stands for data processing arrangement, and this processing agreement ensures that data processors abide by the same laws as standard companies.
  • If either a company or a data processor sells your information without consent, you can file a deletion request, protection impact assessment, or other organizational measures.

What Is the GDPR?

Before learning about GDPR data subjects, it is helpful to understand the GDPR itself. The General Data Protection Regulation, or GDPR, is a comprehensive suite of consumer privacy laws developed for residents of the European Union (EU.) These rulings pertain to any information related to natural persons within the region, so this law does not protect anonymous accounts, though GDPR employee data is.

Insider Tip

Remember, this agreement is only for residents of the European Union, though some states have similar laws on the books.

Like California’s CCPA law, this ruling allows consumers to request that companies refrain from selling personal data and issue deletion requests if companies violate the aforementioned regulations. There is no GDPR equivalent for the entire US market, though certain states have their own versions.

What is DPA?

DPA, in this context, stands for data processing arrangement and refers to written agreements between companies and their data processors, ensuring that both parties abide by the various statutes and regulations inherent to the GDPR. In the vast majority of cases, it is not the company itself that handles these large loads of personal data from consumers, as these requests are outsourced to data processors. These processors scrub through the data to find valuable information to sell to data brokers and the like.

Benefits of the GDPR DPA

There are a number of reasons why the GDPR legislation instituted these DPAs into its language. Without a DPA, companies could claim innocence in data sharing, as it is the processor doing all the dirty work. This way, both sides are liable, and the consumer is provided an extra layer of protection. Here is how that shakes out.

STAT: GDPR compliance requires data controllers to sign a data processing agreement with any parties that act as data processors on their behalf. (source)

Consumers who become aware of data brokerage on the part of the initial company or a data processor can request the deletion of personal information, and the companies are opened up to strict civil penalties like civil fines.


What needs to be in a data processing agreement?

The agreement states that the data processor abides by the same rules as any other company, with a supervisory authority and related organizational measures.

When do I need a DPA?

You need a DPA when the company you are signing up with uses a third party to collect and allocate data. This allows for the security of processing and promotes certain protection principles.

Does a DPA have to be a separate document?

No, the DPA can be folded into any standard sign-up document so long as the organizational measures are clearly illustrated with appropriate security measures and protection obligations in place.
Lawrence Bonk Profile image