What is a Data Processing Agreement?

GDPR guards the rights of users regarding their personal data. One of the most important parts of GDPR is the Data Processing Agreement (DPA) that a company that handles your personal data will sign with every party that has access to this data.

Within DPA, the term “processing” is used broadly and refers to anything you can do with someone’s data – collecting it, storing, monetizing it destroying it, etc.

A data processing agreement is a legally binding contract that states the rights and obligations of each party concerning the protection of personal data. Essentially it regulates the particularities of data processing, such as: The scope and purpose of the processing; The relationship between these actors; The obligations of each party under the regulation

When does RECILIO sign a DPA?

As business owners who are subject to the GDPR, it is in our interest to have a DPA in place. This means, that whenever a data processor  – i.e. another company that helps us store, analyze or communicate personal information – carries out any processing on our behalf, we need to have a written contract in place.

What should be included in a DPA?

GDPR Article 28, Section 3, explains in detail the eight topics that need to be covered in a DPA. Our DPA includes all these different topics.

In summary, here’s what RECILIO includes in our DPA´s:

  • The processor agrees to process personal data only on written instructions of the controller.
  • Everyone who comes into contact with the data is sworn to confidentiality.
  • All appropriate technical and organizational measures are used to protect the security of the data.
  • The processor will not subcontract to another processor unless instructed to do so in writing by the controller, in which case another DPA will need to be signed with the sub-processor (pursuant to Sections 2 and 4 of Article 28).
  • The processor will help the controller uphold their obligations under the GDPR, particularly concerning data subjects’ rights.
  • The processor will help the controller maintain GDPR compliance with regard to Article 32 (security of processing) and Article 36 (consulting with the data protection authority before undertaking high-risk processing).
  • The processor agrees to delete all personal data upon the termination of services or return the data to the controller.
  • The processor must allow the controller to conduct an audit and will provide whatever information necessary to prove compliance.


RECILIO acknowledges that we are responsible for establishing a lawful data process and we observe the rights of our users by including data consents and requests. We also acknowledge that we are responsible for informing our users, subcontractors and employees about data processing. In line with this, you may view our DPA here.