Under global privacy regulations like GDPR, what key legal document specifically outlines the obligations of both parties regarding the handling and protection of personal data processed by a third party?

The key legal document that specifically outlines the obligations of both parties regarding the handling and protection of personal data processed by a third party under global privacy regulations like the General Data Protection Regulation (GDPR) is called a Data Processing Agreement, often abbreviated as DPA, or sometimes referred to as a Data Processing Addendum. This legally binding contract is required when a Data Controller engages a Data Processor to perform processing activities on their behalf. A Data Controller is the entity that determines the purposes and means of the processing of personal data, meaning they decide why and how personal data will be used. A Data Processor is the entity that processes personal data on behalf of, and strictly according to the instructions of, the Data Controller. The DPA clarifies the responsibilities of each party to ensure compliance with data protection laws. It details the subject matter, duration, nature, and purpose of the processing, the types of personal data involved, and the categories of data subjects whose data is being processed. Crucially, the DPA mandates that the Data Processor can only process personal data based on the documented instructions of the Data Controller. It also outlines the Processor's obligations to implement appropriate technical and organizational security measures to protect the personal data, maintain confidentiality, assist the Controller in fulfilling their obligations (such as responding to data subject requests or conducting data protection impact assessments), notify the Controller of any personal data breaches, and delete or return all personal data to the Controller upon the termination of services. For example, if a company (the Data Controller) uses a cloud service provider (the Data Processor) to store customer information, the DPA would legally obligate the cloud provider to protect that data according to the company's instructions and privacy regulations like the GDPR.