Data Processing Agreement (DPA)
A legally binding contract between data controller and data processor that governs the terms for processing personal data according to GDPR.
Every third-party AI tool processing customer data (chatbots, personalization, analytics) requires a DPA.
Explanation
A DPA must include: subject matter and duration of processing, nature and purpose, categories of data and data subjects, processor obligations (confidentiality, technical measures, sub-processor rules, support for data subject rights, deletion after contract end).
Marketing Relevance
Every third-party AI tool processing customer data (chatbots, personalization, analytics) requires a DPA. Marketing teams must verify before tool adoption whether the provider offers GDPR-compliant DPAs.
Example
A marketing team wants to use an AI text generator. Before signing, they check: Where is data stored (EU/US)? Which standard contractual clauses apply? How is training data handled? Is there a ready DPA?
Common Pitfalls
Missing DPAs for "free" AI tools. Unclear rules about AI training with user data. Outdated DPAs not covering AI-specific risks. Sub-processor chains without transparency.
Origin & History
Data Processing Agreement (DPA) is an established concept in the field of Data & Analytics. The concept has evolved alongside the growing importance of AI and data-driven methods.