GDPR Data Processing Agreement (DPA): Roles, Rules & Requirements – Part I

1. What Is a Data Processing Agreement (DPA)?

A Data Processing Agreement (DPA) is a legally binding contract required under the General Data Protection Regulation (GDPR) between a data controller and a data processor. Its main purpose is to ensure that any personal data shared with a processor is handled in full compliance with GDPR requirements and under the controller’s instructions.

To keep this guide manageable and reader-friendly, we’ve divided it into three parts, each covering four key sections. This structure will help you understand the core principles of Data Processing Agreement (DPA) step by step—from the basics to advanced compliance measures. Please refer to respective posts in related posts section.

1.1 Definition under Article 28 of the GDPR

Under Article 28(3) of the GDPR, if a data controller (the entity deciding the purposes and means of processing personal data) appoints a processor (a third party processing data on its behalf), a written contract must be in place.

This contract — i.e., the DPA—must:

• Clearly define the scope, duration, and nature of the processing.
• Specify the types of personal data and categories of data subjects involved.
• Outline the obligations and rights of both parties.

The DPA binds the processor to act only on the controller’s documented instructions and to implement appropriate technical and organizational measures to protect the data.

1.2 Difference Between Controller and Processor

Understanding the roles is critical in GDPR compliance:

• Data Controller:
  The entity that determines the purposes and means of processing personal data. It has the primary responsibility for ensuring that personal data is processed lawfully.
  • Example: A European e-commerce company that collects customer data to fulfill orders.
• Data Processor:
  A third party that processes personal data on behalf of the controller. It has no decision-making power over the data’s use.
  • Example: A cloud hosting provider storing the customer database for the e-commerce company.

The DPA serves to bridge the accountability gap between these two parties. While the controller carries the overall responsibility, the processor must be contractually obligated to meet GDPR standards.

1.3 Why a DPA Is Required Under GDPR

The DPA is not just a formality—it’s a legal obligation and a core part of GDPR’s accountability principle (Article 5(2)).

Without a valid DPA:

• The data controller is in breach of GDPR for failing to protect data properly.
• The processor lacks legal grounding to handle the data.
• Both parties may face fines, data subject claims, and reputational damage.

Additionally, the DPA serves as evidence of compliance during audits or regulatory inquiries by a Data Protection Authority (DPA in the legal sense, not to be confused with the Data Processing Agreement).

---

2. When Is a Data Processing Agreement (DPA) Required?

A Data Processing Agreement (DPA) is required whenever a data controller (the party determining the purpose and means of processing personal data) engages a data processor (the party that processes the data on the controller’s behalf). Under the General Data Protection Regulation (GDPR), this agreement is not optional—it is a legal requirement whenever data is being outsourced or handled by an external party.

2.1 Scenarios Where a DPA Is Legally Mandatory

There are many situations in which a DPA is required under Article 28 of the GDPR. Below are some of the most common scenarios where businesses must have a DPA in place:

1. Outsourcing Data Processing Functions

Whenever a business outsources any of its data processing activities to a third party (even if it’s a subcontractor or sub-processor), a DPA is necessary. The agreement ensures that both the controller and processor are on the same page regarding data protection obligations and risks.

Example:

• A company decides to use a third-party payroll processor to handle employee salaries, taxes, and benefits. The payroll service will be processing personal data, and a DPA must be signed between the company (controller) and the payroll service provider (processor).

2. Using Cloud Service Providers

Cloud service providers (such as AWS, Microsoft Azure, or Google Cloud) often process and store sensitive personal data on behalf of clients. When businesses use these services, they must have a DPA in place to ensure that data is protected according to GDPR standards.

Example:

• An e-commerce business uses a cloud hosting provider to store customer information and order history. The hosting provider becomes a data processor, and a DPA is required to outline how they will handle the data.

3. Software as a Service (SaaS) Providers

Many businesses use SaaS applications (e.g., CRM, email marketing tools, customer support platforms) that process personal data. SaaS providers are considered processors, and a DPA is essential to guarantee that they only process data as instructed by the business (controller).

Example:

• A business uses Salesforce as a CRM tool, storing customer data and communication histories. A DPA is required with Salesforce to outline their responsibilities and compliance with GDPR.

4. Marketing and Advertising Service Providers

Third-party marketing or advertising agencies that process personal data for targeted campaigns must also have a DPA in place. This includes email marketing platforms, online advertising networks, or data analysis providers.

Example:

• A company hires an email marketing platform to manage email campaigns for potential customers. Since the platform processes personal data (email addresses, names, etc.), a DPA is required to ensure GDPR compliance.

5. Payment Processors

Businesses that rely on external payment processors (such as Stripe, PayPal, or credit card companies) must ensure that a DPA is in place, especially since payment processing involves the handling of personal and financial data.

Example:

• A retail business uses Stripe to process customer payments. Stripe is a data processor and requires a DPA to establish its data handling obligations.

6. Customer Support and Call Centers

If a business outsources customer service operations or uses a third-party call center, a DPA is mandatory to define how customer data (e.g., names, order details, and payment information) will be handled and protected.

Example:

A company outsources customer support services to a third-party call center. A DPA will ensure that the call center processes customer data securely and in compliance with GDPR.

---

2.2 Risks of Not Having a DPA in Place

Failing to have a proper DPA when required can expose both the controller and the processor to significant risks. The following are some of the major consequences of not having a DPA:

1. Regulatory Fines

Under GDPR, failing to have a DPA in place is a violation of the regulation. Supervisory authorities (e.g., the European Data Protection Board (EDPB) or national DPAs) can impose heavy fines for non-compliance. Penalties for breaching Article 28 (failure to have a valid contract with processors) can reach up to €20 million or 4% of global turnover—whichever is greater.

2. Increased Liability

Without a DPA, the controller can be held fully liable for any data breaches or mismanagement of personal data by the processor. If something goes wrong, the processor may not be legally obligated to take responsibility, leaving the controller at risk for the full consequences (including potential claims from affected individuals).

3. Loss of Data Subject Trust

Customers and data subjects expect businesses to handle their personal data responsibly. Without a DPA, the controller cannot demonstrate to their customers that their data is being processed in accordance with GDPR, which can result in damaged reputation, loss of trust, and even a decrease in business.

4. Inability to Prove Compliance

Without a DPA, a company would have difficulty proving its GDPR compliance during an audit. Supervisory authorities will expect documentation showing that the data processor is acting in compliance with GDPR requirements, and a DPA is key evidence of this.

5. Legal Action and Compensation Claims

Data subjects (e.g., customers or employees whose data is processed) have the right to take legal action against both the controller and processor for non-compliance with GDPR. Without a DPA, businesses may struggle to defend themselves against compensation claims or legal disputes regarding data mishandling.

6. Data Breach and Security Risks

If a DPA is not in place, the processor may not be required to follow the proper data security and confidentiality protocols. In case of a data breach, the controller might find it difficult to take legal action against the processor or get assistance with breach reporting and mitigation efforts.

---

3. Key Legal Basis for a Data Processing Agreement (DPA)

A Data Processing Agreement (DPA) is legally mandated by the General Data Protection Regulation (GDPR) to ensure that when a data controller engages a data processor to handle personal data, both parties are bound by clear, enforceable terms that safeguard the rights of data subjects.

3.1 Article 28(3) of the GDPR – Mandatory Clauses

The core legal basis for the DPA comes from Article 28(3) of the GDPR, which specifically outlines the mandatory clauses that must be included in any contract between a data controller and a data processor.

Under Article 28(3), the data processor must be required to:

1. Process Data Only on the Controller’s Instructions
   • The processor is only permitted to process the data as instructed by the controller. The DPA must clearly define the scope, purpose, and nature of processing.
   • Example: A payroll processor must only use the employee data for payroll processing and not for any other purposes (e.g., marketing).
2. Ensure Confidentiality
   • The processor must ensure that individuals involved in processing the data (including employees, contractors, etc.) maintain confidentiality about the data.
   • Example: The processor’s employees should not disclose sensitive personal data without proper authorization.
3. Implement Security Measures
   • The processor is responsible for ensuring that appropriate technical and organizational measures are in place to safeguard the data.
   • These measures are specified to ensure the security of personal data in line with Article 32 (security of processing).
   • Example: Encrypting sensitive data in storage and transit to prevent unauthorized access.
4. Assist the Controller with Data Subject Rights
   • The processor must assist the controller in fulfilling data subject requests, such as requests for data access, rectification, deletion, and data portability.
   • Example: If a data subject requests to access their data, the processor must provide assistance to the controller in facilitating this request.
5. Return or Delete Personal Data at the End of Processing
   • The processor must either return or delete personal data after completing the processing, unless a legal obligation requires the data to be retained.
   • Example: After providing cloud storage for data, the processor should delete or securely return the data to the controller upon contract termination.
6. Allow Audits and Inspections
   • The DPA must grant the data controller the right to conduct audits, inspections, and data protection assessments of the processor’s operations to ensure compliance with the terms of the agreement.
   • Example: The controller can audit a third-party service provider to confirm they are implementing the security measures outlined in the DPA.
7. Use of Sub-processors
   • If the processor wants to engage any sub-processors to assist in processing, the DPA must outline the terms of authorization and the controller’s rights to approve or reject these sub-processors.
   • Example: A cloud service provider using a third-party backup service would need explicit approval from the controller before engaging the backup service.

---

3.2 Relationship to the Accountability Principle (Article 5(2))

The Accountability Principle in Article 5(2) of the GDPR plays a critical role in shaping the relationship between the controller, the processor, and the DPA.

Accountability Principle (Art. 5(2)):

• This principle states that the data controller is responsible for ensuring compliance with GDPR and for being able to demonstrate this compliance. In other words, the controller must show that all processing activities it conducts (or that are conducted on its behalf) are GDPR-compliant.
• The DPA helps implement the accountability principle by ensuring that the controller has established clear, enforceable terms for processing and by guaranteeing that the processor adheres to the requirements for protecting personal data.

How the DPA Aligns with Accountability:

• Record Keeping: The DPA serves as evidence that the controller has taken steps to ensure that data is processed in compliance with GDPR, fulfilling the controller’s responsibility under the accountability principle.
• Risk Management: Through the DPA, the controller ensures that processors only process data in secure ways, reducing the risk of non-compliance.
• Audit Rights: The ability to audit and inspect the processor’s activities (stipulated in the DPA) is a key tool in ensuring compliance with the accountability principle. This gives the controller oversight and allows them to demonstrate that third-party processing arrangements comply with GDPR.

---

3.3 Role in Demonstrating Compliance

A DPA is more than just a contract—it is a key tool for a controller to demonstrate compliance with GDPR. Since GDPR Article 5(2) emphasizes accountability, the DPA is a direct mechanism that helps the controller show they are fulfilling their obligations under the regulation.

Key Ways a DPA Demonstrates Compliance:

1. Legal Documentation:
   • The DPA serves as tangible evidence that the controller has taken the necessary legal steps to ensure compliance when engaging a processor.
   • The controller must be able to demonstrate that they’ve conducted due diligence in selecting processors who can meet GDPR standards and have a legally binding agreement in place.
2. Transparency with Data Subjects:
   • The DPA helps ensure that data processing activities are carried out lawfully, fairly, and transparently, as required by Article 5 of the GDPR.
   • By having a comprehensive DPA, the controller can more easily explain how personal data is processed, handled, and protected, fulfilling the transparency requirement to data subjects.
3. Audit Trails:
   • The DPA allows for auditing and monitoring of the processor’s activities, ensuring they comply with the agreed-upon data protection measures. This supports ongoing GDPR compliance.
   • In the event of an audit or investigation by a supervisory authority, the DPA provides documentation that the business has been actively managing and monitoring data processing activities to comply with the GDPR.
4. Managing Third-Party Risk:
   • A DPA is crucial for mitigating the risks involved when using third-party services that process personal data. By ensuring that security protocols and data protection measures are in place, the DPA helps reduce the risk of data breaches or violations.
5. Enforcing Data Subject Rights:
   • The DPA outlines specific provisions for assisting the data controller in handling data subject rights (e.g., the right to erasure or data access). This ensures that the controller remains compliant with data subject rights requirements under Articles 15–22 of the GDPR.

---

4. Essential Elements of a GDPR-Compliant DPA

A Data Processing Agreement (DPA) is not just a formality—it must contain several essential elements to ensure that both the controller and the processor are complying with GDPR requirements. These provisions help define the specific terms of the relationship, ensuring clarity and reducing legal risk for both parties.

Here are the key components that must be included in a GDPR-compliant DPA:

---

4.1. Subject Matter and Duration of Processing

What It Covers:

The subject matter of the processing outlines what the data processor will be doing with the personal data, while the duration specifies how long the data processing will last.

Why It’s Important:

• Transparency: The controller needs to make clear to the processor what exactly they will be processing and how long the processing will occur. This aligns with the transparency principle in the GDPR.
• Legal Basis: Defining the duration ensures that the data processing is lawful and respects the storage limitation principle (i.e., personal data should not be kept for longer than necessary).

What Must Be Included:

• Subject Matter: A description of the specific activities the processor will perform (e.g., storing, accessing, analyzing, etc.).
• Duration of Processing: The term for which the processor will handle the data. This could be a set period or until the processing contract is terminated.

Example:

• “The processor will store and manage customer data for the duration of the service agreement, after which the data will be returned or deleted as per the controller’s instructions.”

---

4.2. Nature and Purpose of Processing

What It Covers:

The nature of processing refers to the method or actions used to process personal data, and the purpose refers to why the data is being processed in the first place.

Why It’s Important:

• Clear Scope: This ensures the processor understands the exact purpose for processing personal data and does so exclusively for that purpose, aligning with the principle of purpose limitation (Article 5(1)(b) of the GDPR).
• Risk Mitigation: By clarifying the nature and purpose, the controller ensures the data processing activities are controlled, legal, and ethical.

What Must Be Included:

• Nature of Processing: A description of what kind of processing activities will take place (e.g., storing, organizing, retrieving, or analyzing data).
• Purpose of Processing: A description of the specific purpose(s) for which the data is processed (e.g., providing a service, fulfilling a contract, managing marketing campaigns).

Example:

• “The processor will store personal data to provide customer support services, process orders, and fulfill legal and regulatory obligations on behalf of the controller.”

4.3. Types of Personal Data and Categories of Data Subjects

What It Covers:

This section specifies the types of personal data involved in the processing, as well as the categories of data subjects whose data is being processed.

Why It’s Important:

• Data Minimization: This section ensures the controller is only providing data that is necessary and relevant for the processor’s tasks.
• Special Categories of Data: If the processor will handle any special categories of data (e.g., health data, racial data), this section needs to explicitly address those to ensure higher standards of protection.
• Informed Consent: Clarifying the data subject categories ensures that all parties understand who’s personal data is involved and can act accordingly to protect those individuals’ rights.

What Must Be Included:

• Types of Personal Data: This should list the exact types of personal data being processed (e.g., name, contact details, financial information, health data, etc.).
• Categories of Data Subjects: The specific individuals whose data will be processed, such as employees, customers, or website users.
• If any special categories of data are processed (e.g., data concerning health, race, or political views), this must be clearly noted.

Example:

• “The processor will handle customer personal data, including names, email addresses, and payment information, related to customers of the controller’s e-commerce platform. No special categories of personal data will be processed.”

---

4.4. Obligations and Rights of the Controller

What It Covers:

This section outlines the responsibilities and rights of the data controller in relation to the processing activities.

Why It’s Important:

• Controller Accountability: The controller remains ultimately responsible for data protection compliance, so the agreement must outline their duties to ensure the processor is following GDPR requirements.
• Clear Expectations: This section helps prevent misunderstandings by making clear what the controller can expect from the processor and what actions they must take to ensure data protection.

What Must Be Included:

• Controller’s Instructions: The processor must follow the controller’s written instructions for data processing. This should be clearly stated, and any changes to the processing instructions must be agreed upon in writing.
• Data Protection Obligations: The controller must ensure that the processor complies with GDPR, including verifying the processor’s ability to meet data security and protection requirements.
• Rights to Audit and Inspection: The controller must have the right to conduct audits or inspections to ensure compliance.

Example:

• “The controller is responsible for ensuring the processor complies with all applicable data protection laws, including providing written instructions regarding the handling and processing of customer data. The controller also has the right to audit the processor’s data processing activities.”

---

Additional Essential Elements to Consider

While these are the key elements, several other provisions should also be included in a GDPR-compliant DPA, including:

1. Security Measures: Specifies the technical and organizational measures the processor must implement to protect personal data (GDPR Article 32).
2. Use of Sub-processors: Specifies the conditions under which the processor can use sub-processors (e.g., third-party vendors), and the controller’s rights to approve such sub-processors.
3. Data Breach Notification: Outlines the processor’s obligation to notify the controller of any personal data breaches (GDPR Article 33).
4. International Data Transfers: If data is being transferred outside the European Economic Area (EEA), the DPA should include provisions to ensure that the data is adequately protected in line with GDPR’s rules on international data transfers (Article 44–50).

---

5. Obligations of the Processor

Under the General Data Protection Regulation (GDPR), a data processor is an entity that processes personal data on behalf of a data controller. Because processors handle data they do not “own,” the GDPR imposes strict contractual obligations on them to ensure data protection, security, and compliance.

These obligations must be clearly outlined in the Data Processing Agreement (DPA) and are legally binding.

5.1. Only Act on the Controller’s Documented Instructions

What it Means:

A processor must only process personal data according to the written instructions of the controller. This is a core principle of GDPR and ensures that the processor cannot act independently or use the data for their own purposes.

Why it Matters:

• Prevents unauthorized use or disclosure of data.
• Ensures the controller retains control over how and why personal data is processed.

In the DPA:

• The contract should clearly state that processing must occur only on documented instructions, including regarding international transfers.
• The processor must also notify the controller if they believe an instruction violates GDPR.

---

5.2. Confidentiality

What it Means:

The processor must ensure that any person authorized to process personal data (e.g., employees, contractors) is subject to a duty of confidentiality.

Why it Matters:

• Reduces risk of data leaks or breaches by ensuring all personnel understand the importance of protecting data.
• Supports compliance with Article 5(1)(f) (integrity and confidentiality).

In the DPA:

• The agreement should state that all personnel must be bound by confidentiality obligations, either by law or contract.

---

5.3. Sub-processors (Approval and Flow-down Obligations)

What it Means:

If a processor wants to engage a sub-processor (another party to help with the processing), they must:

• Obtain the controller’s prior written authorization.
• Enter into a contract with the sub-processor that includes the same data protection obligations (so-called “flow-down” requirements).

Why it Matters:

• Ensures that all parties in the processing chain uphold the same level of data protection.
• Gives the controller oversight and control over who else is accessing the data.

In the DPA:

• Must state that the processor cannot appoint sub-processors without prior approval.
• Must ensure flow-down of obligations so sub-processors are bound to the same terms as the main processor.

---

5.4. Data Security (Reference to Article 32)

What it Means:

The processor must implement appropriate technical and organizational measures to protect personal data, as required under Article 32 of the GDPR.

Why it Matters:

• Protects data against accidental loss, unauthorized access, alteration, or destruction.
• Builds trust with data subjects and reduces risk of data breaches.

Security Measures May Include:

• Encryption of data at rest and in transit
• Access controls and user authentication
• Regular security audits
• Incident response protocols

In the DPA:

• Should reference Article 32 explicitly and describe the specific measures in place.
• Can include an annex or appendix detailing these security practices.

---

5.5. Assistance with Data Subject Rights

What it Means:

Processors must help the controller respond to data subject requests under Articles 12–22 of GDPR, including:

• Right of access
• Right to rectification
• Right to erasure (right to be forgotten)
• Right to data portability
• Right to object
• Right to restriction of processing

Why it Matters:

• Ensures data subjects can exercise their rights even if data is handled by a third party.
• Prevents the controller from being in breach due to processor inaction.

In the DPA:

• Must state that the processor will provide reasonable assistance to the controller.
• Should outline timeframes and processes for handling requests.

---

5.6. Deletion or Return of Data After Processing Ends

What it Means:

At the end of the processing relationship, the processor must either:

• Return the personal data to the controller, or
• Delete it securely, unless retention is required by law.

Why it Matters:

• Prevents indefinite storage of personal data without purpose.
• Reduces data breach risks once the service relationship ends.

In the DPA:

• Must clearly state what happens to the data after the contract ends.
• Should include provisions on secure deletion methods or data return timelines.

---

5.7. Audit and Inspection Rights

What it Means:

The processor must allow the controller (or a designated auditor) to conduct audits or inspections of the processor’s data protection practices and systems.

Why it Matters:

• Allows the controller to verify compliance with GDPR and the DPA.
• Supports the accountability and transparency principles under Article 5(2).

In the DPA:

May include limits such as reasonable notice, frequency, or third-party auditors.

Should specify the controller’s right to inspect or audit the processor.

---

6. Sub-Processing Clauses in a GDPR-Compliant DPA

When a data processor wishes to engage another party (a sub-processor) to help fulfill their processing tasks, GDPR requires this to be handled with strict safeguards. These safeguards must be clearly outlined in the Data Processing Agreement (DPA) between the data controller and the processor.

Sub-processing clauses help maintain accountability, transparency, and control across all layers of data handling.

---

6.1 Difference Between a Processor and a Sub-Processor

• Processor: An entity that processes personal data on behalf of a data controller.
• Sub-Processor: An entity that is contracted by a processor to carry out part of the processing activities on behalf of the controller.

* Relationship Chain: Controller → Processor → Sub-Processor

For example, if a company (controller) hires a payroll service (processor), and that service uses a cloud platform for storage (sub-processor), the cloud provider is a sub-processor.

---

6.2 Prior Authorization vs General Authorization

Under Article 28(2) of the GDPR, processors can only engage sub-processors with the controller’s written authorization. There are two approaches:

1. Prior Specific Authorization

• The processor must seek explicit approval from the controller for each individual sub-processor.
• Suitable for high-risk processing or when the controller wants tight control.
• Can cause delays due to approval cycles.

Example Clause:

“The Processor shall not engage any sub-processor without obtaining the Controller’s specific prior written authorization.”

2. General Authorization

• The processor may engage sub-processors at its discretion, but must notify the controller in advance, giving them the opportunity to object.
• Provides more flexibility, especially in dynamic environments like SaaS or DevOps.

Example Clause:

“The Controller grants the Processor general authorization to engage sub-processors. The Processor shall inform the Controller of any intended changes, thereby giving the Controller an opportunity to object.”

---

6.3 Flow-Down Obligations to Sub-Processors

Processors must ensure that any sub-processor is contractually bound to meet the same data protection obligations as set out in the DPA between the controller and processor.

These are known as “flow-down” obligations and must cover:

• Confidentiality
• Security measures (Art. 32)
• Assistance with data subject rights
• Return or deletion of data
• Audit rights, if appropriate

GDPR Reference: Article 28(4)

📝 This ensures:

• The controller’s data protection requirements are preserved throughout the processing chain.
• Sub-processors are held accountable just like primary processors.

Example Clause:

“The Processor shall enter into a written agreement with each sub-processor imposing the same data protection obligations as set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures.”

---

6.4 Sub-Processing Chains in SaaS Ecosystems

In modern SaaS ecosystems, sub-processing is almost inevitable. A single SaaS vendor might use multiple third parties for:

• Hosting (e.g., AWS, Azure)
• Email delivery (e.g., SendGrid, Mailgun)
• Error tracking (e.g., Sentry)
• Customer analytics (e.g., Mixpanel)

This leads to multi-layered sub-processing chains, often involving:

• 4–5 vendors for even a single service.
• Cross-border data transfers, triggering SCC or TIA obligations.

Best Practices for SaaS Vendors:

• Maintain and publish a sub-processor list on your website.
• Offer notification mechanisms (e.g., email updates) for changes.
• Include opt-out or objection procedures for controllers.

Controller Tip: Always review the vendor’s list of sub-processors and assess their roles, locations, and contractual safeguards.