GDPR › Data Processors

Data Processing Agreement

A data processing agreement (DPA) is the written contract you must have with any supplier that processes personal data on your behalf. It is a requirement under GDPR Article 28, and without one you risk fines and a lack of control over your data.

Back to Dictionary

What is a data processing agreement?

A data processing agreement (DPA) is a legally binding contract between a data controller and a data processor. It governs how the processor handles personal data on behalf of the controller and is mandatory under GDPR Article 28.

The DPA ensures that the processor cannot use the data for its own purposes and that appropriate safeguards are in place. Without a valid DPA, the controller risks regulatory fines and, more importantly, loses contractual control over how personal data is handled.

What must a DPA contain?

GDPR Article 28(3) specifies the minimum content of a data processing agreement:

Subject matter and duration: A clear description of what the processing covers and how long it lasts.
Nature and purpose: The type of processing (e.g. storage, transmission, analysis) and its purpose.
Categories of data and data subjects: Which types of personal data are processed and which groups of individuals are affected.
Controller’s instructions: The processor may only process data in accordance with the controller’s documented instructions.
Confidentiality: Persons authorised to process the data must be bound by confidentiality obligations.
Security measures: The processor must implement appropriate technical and organisational measures to protect the data.
Sub-processors: Rules governing the processor’s use of sub-processors, including prior authorisation requirements.
Data subject rights: The processor must assist the controller in fulfilling data subjects’ rights (access, rectification, erasure, etc.).
Deletion or return: Upon termination, the processor must delete or return all personal data.
Audit rights: The controller must have the right to audit the processor’s compliance with the agreement.

Who is responsible for the DPA?

The data controller bears the primary responsibility for ensuring that a valid DPA is in place with every data processor. In practice this means that your organisation must identify all suppliers that process personal data on your behalf and ensure each has a compliant agreement.

Common mistakes

The most frequently encountered errors with data processing agreements include:

Missing agreements: Many organisations simply do not have DPAs with all their processors, particularly for SaaS tools and cloud services.
Generic or outdated templates: Using a standard template without tailoring it to the specific processing relationship.
Unclear sub-processor provisions: Failing to address how and when the processor may engage sub-processors.
No audit clause: Omitting the controller’s right to verify the processor’s compliance.
Ignoring data transfers: Not addressing transfers of personal data to third countries outside the EEA.

Tip: Review your DPAs at least annually and whenever the scope of processing changes. A DPA is not a document you sign once and forget — it must reflect the current processing relationship.

Frequently asked questions about data processing agreements

Frequently Asked Questions about Data Processing Agreement

What is a data processing agreement?

A data processing agreement (DPA) is a legally binding contract between a data controller and a data processor. It is required by GDPR Article 28 and governs how the processor handles personal data on behalf of the controller.

When do I need a DPA?

You need a DPA whenever an external party processes personal data on your behalf. This includes cloud services, payroll providers, email marketing platforms, CRM systems and any other supplier that accesses or stores personal data for you.

What happens if I do not have a DPA?

Without a valid DPA, you are in breach of GDPR Article 28. This can result in regulatory fines and means you have no contractual control over how the processor handles your personal data.

Who is responsible for drafting the DPA?

The data controller is responsible for ensuring a valid DPA is in place. In practice, many processors provide their own standard DPA, but the controller must review it to ensure it meets GDPR requirements.

How often should a DPA be reviewed?

A DPA should be reviewed at least annually and whenever the scope, nature or purpose of the processing changes. It must accurately reflect the current processing relationship at all times.