Contract between a data controller (the research team or commissioning organization) and a data processor (a vendor handling data on their behalf) defining what the processor may do with the data. Mandatory under GDPR Article 28.
Definition: Contract between a data controller (the research team or commissioning organization) and a data processor (a vendor handling data on their behalf) defining what the processor may do with the data. Mandatory under GDPR Article 28.
The DPA is the contract that turns vendor marketing into legal commitments. Under GDPR Article 28, anyone processing personal data on your behalf must sign one. Without a DPA in place, using a vendor with participant data is itself a GDPR breach.
A useful DPA spells out: processing purposes, categories of data, retention periods, security measures, sub-processor list and notification process, breach notification timelines, and data return or deletion at contract end. Vendor-supplied templates lean toward vendor interests; read carefully and ask for amendments where the language is vague or one-sided.
Free or low-cost AI tools rarely offer DPAs. Enterprise tiers usually do. The presence of a sane DPA is a strong signal that the vendor has thought about compliance; its absence is a strong signal to walk away.
This term is referenced in the following articles: