Why do we need a DPA (Data Processing Agreement) before we can use a tool?

The GDPR requires parties to agree in taking measures to ensure the protection of the personal data they handle. When outsourcing certain data processing activities, organisations must be able to demonstrate that the processing of personal data is carried out in a GDPR compliant manner. This can be achieved by signing a Data Protection Agreement.

A DPA serves to regulate the particularities of (personal) data collection and processing – i.e., scope and purpose, and the rights and obligations between the parties. For the TU Delft, it is a way of ensuring that all data of TU Delft employees and students are collected, processed and stored by an external supplier according to the GDPR. By signing a DPA, TU Delft assigns data handling obligations including:

  1. the requirement to comply with the GDPR;
  2. the application of security and privacy measures according to the TU Delft standards and
  3. the implementation of the TU Delft data breach notification procedure.
Go to the Educational Tools: Questions related to privacy and security page