Definition
A Data Processing Agreement (DPA) is required under GDPR Article 28 whenever a data controller engages a data processor to handle personal data on its behalf. The DPA defines how personal data must be processed, what security measures apply, and the responsibilities of each party.
In the context of debt collection:
Data Controller: The entity that determines the purposes and means of processing personal data. Clients are data controllers for debtor data because they decide to use Debitura for debt recovery.
Data Processor: The entity that processes personal data on behalf of the controller, following the controller's instructions. Debitura acts as a data processor for Clients.
Data Subject: The individual whose personal data is being processed. In debt collection, this is typically the Debtor.
When a DPA is required
Under GDPR Article 28, a written DPA must be in place before a data processor begins handling personal data on behalf of a data controller. For EU-based Clients using Debitura for debt collection, this means a DPA must be signed before uploading cases containing debtor personal data.
Debitura provides a self-service DPA wizard where Clients can generate, review, and digitally sign a DPA online. This process captures an immutable snapshot of company information at signing time and includes signature forensics (IP address, timestamp, user agent) for audit and compliance purposes.
Key elements of the Debitura DPA
Element | Description |
Parties | The Client (data controller) and Debitura LLC (data processor) |
Purpose | Processing debtor personal data for debt collection services |
Data categories | Debtor contact information, claim details, payment history, and communications |
Processing instructions | Debitura processes data only as instructed by the Client and in accordance with the platform's debt collection workflows |
Security measures | Technical and organisational measures to protect personal data, including audit trails and access controls |
Sub-processors | Any third parties Debitura engages to assist with processing (disclosed in the DPA) |
Data subject rights | Procedures for handling data subject requests (access, rectification, erasure) |
Retention and deletion | Rules for how long data is kept and when it must be deleted |
Privacy policy requirements
Under GDPR Article 13, Clients must inform debtors about third-party processors handling their data. After signing a DPA, Clients receive a privacy policy snippet to add to their website. The snippet text varies based on whether the Client operates in an EU or non-EU context.
Confidentiality
Beyond the DPA, confidentiality is addressed in multiple agreements within the Debitura platform:
Standard Debt Collection Agreement (SDCA): Contains a confidentiality clause stating that all information exchanged under the agreement is confidential and shall not be disclosed to third parties without consent, except as required by law.
Partnership Agreement (Collection Partners): Requires Collection Partners to maintain the confidentiality of all information disclosed by Debitura, using such information solely for the purpose of providing services to Clients. This includes protecting sensitive data and not disclosing it to third parties without prior written consent.
Collection Partners and data processing
Collection Partners who receive cases from Debitura also process debtor personal data. The SDCA states that Debitura and the Collector (Collection Partner) will process personal data in accordance with applicable data protection laws (such as GDPR). Separate Data Processing Agreements may be signed upon request.
Currently, Debitura's self-service DPA wizard is implemented for Client-Debitura agreements. The system architecture supports future Partner-Debitura and Client-Partner DPAs without requiring code changes.
Impact by actor
Client
Acts as data controller for debtor personal data
Must sign a DPA with Debitura before uploading cases (EU requirement)
Must update privacy policy to inform debtors about Debitura as a processor
Retains ultimate responsibility for lawful data processing
Debitura
Debitura LLC (registered in Delaware, United States; EIN: 37-2213530) acts as data processor on behalf of Clients
Processes data only according to Client instructions and platform workflows
Provides the self-service DPA wizard for Clients
Maintains audit trails and security controls for compliance
Collection Partner
Processes debtor data as part of debt recovery activities
Bound by confidentiality obligations in the Partnership Agreement and SDCA
May sign separate DPAs upon request
Referral Partner
May handle client data through API integrations
Subject to data protection obligations based on their integration scope
See Referral Partners: Data privacy and DPA considerations for details
Debtor
Is the data subject whose personal data is processed
Has rights under GDPR including access, rectification, and erasure
Should be informed by the Client (via privacy policy) about Debitura's role as processor
Where to find DPA documents
Clients can access and sign their DPA through the self-service DPA wizard in the Debitura platform. After signing, Clients can download a PDF copy of the signed agreement. The signed PDF includes a SHA256 hash for integrity verification.
For step-by-step instructions, see Clients: How to request a Data Processing Agreement (DPA).
For broader information about Debitura's compliance practices, see Clients: Compliance and verification.