Under the GDPR, a data processing agreement (DPA) is a written contract between a controller and a personal data processor. The controller is the entity that determines the purposes and means of processing personal data, while the processor is the entity that processes personal data on behalf of the controller.
A DPA sets out the terms and conditions under which the processor will process personal data on behalf of the controller. This typically includes provisions relating to the scope of the processing, the purposes for which the personal data will be used, the security measures that will be put in place to protect the personal data, and the rights of the data subjects.
Under the GDPR, a DPA is mandatory in order to rely on a data processor.