What is a DPA?
A data processing agreement, or a so-called DPA, is a legal contract between ACTO Omnichannel Education for Life Sciences and its processors. The purpose of the DPA is to lay out clear roles and obligations for the processors when handling personal data on ACTO Omnichannel Education for Life Sciences’s behalf.
Why and how should I assess this?
While the processor has obligations, ultimately the data controller is responsible for the personal data. ACTO Omnichannel Education for Life Sciences may only use processors that can sufficiently guarantee that the processing meets the requirements of the GDPR. Some things to look for in a DPA:
Processing only on documented instructions of the controller.
The DPA must set out the purpose and duration of the processing and the type of personal data and the categories of data subjects.
Appropriate security measures.
Controllers must only use vendors that can provide sufficient guarantees for the security of their processing activities.
The use of sub-processors.
The processor must not use another processor (i.e., a sub-processor) to help it process personal data without prior permission from the controller.