1. What Is a Data Processing Agreement (DPA)?
Welcome to Part II of our series on Data Processing Agreements (DPA): Key Roles, Regulations, and Requirements.
In this section, we’ll dive deeper into the specifics of what a Data Processing Agreement (DPA) entails. A DPA is a legally binding contract required under the General Data Protection Regulation (GDPR) between a data controller and a data processor. Its main purpose is to ensure that any personal data shared with a processor is handled in full compliance with GDPR requirements and under the controller’s instructions.
2. DPA vs SCCs vs AVV: Understanding the Differences and Connections
When working toward GDPR compliance, especially in international or cross-border data processing scenarios, terms like DPA, SCCs, and AVV frequently arise. While they are related, they serve different legal purposes under the GDPR and are used in different contexts.
2.1. Data Processing Agreement (DPA)
A DPA is a mandatory contract under Article 28 of the GDPR that governs the relationship between a data controller and a data processor.
2.1.1 Purpose:
- Sets out roles, responsibilities, and data protection obligations of both parties.
- Ensures processors only act on the controller’s instructions and maintain proper safeguards.
2.1.2 When it’s required:
- Always when a controller engages a processor (e.g., a business using a third-party CRM, payroll provider, cloud host, etc.).
2.2. Standard Contractual Clauses (SCCs)
SCCs are EU-approved legal tools for making international transfers of personal data outside the EEA lawful under Chapter V of the GDPR.
2.2.1 Purpose:
- Safeguards data transfers to third countries (like India, the U.S., etc.) that don’t have an EU adequacy decision.
- Contains detailed commitments from the data importer (recipient) to handle personal data per EU standards.
2.2.2 When it’s required:
- When personal data is transferred internationally to a third country without an adequacy decision.
- SCCs supplement the DPA, not replace it.
2.3. AVV (Auftragsverarbeitungsvertrag) – German Term for DPA
AVV stands for “Auftragsverarbeitungsvertrag”, which literally translates to “commissioned data processing contract” or processing agreement.
2.3.1 Why it’s useful:
- This is the German equivalent of a DPA.
- Especially important when dealing with German clients or German subsidiaries who expect GDPR documentation in German or in line with local terminology.
2.3.2 AVV ≈ DPA:
They are the same in substance and purpose—just different terminology based on language and jurisdiction.
How They All Fit Together
| Tool | Function | Required When | Relation to Others |
|---|---|---|---|
| DPA (AVV) | Regulates processing between controller & processor | Always when outsourcing processing | Core GDPR requirement |
| SCCs | Enables legal international data transfers | When data leaves the EEA to non-adequate countries | Supplements the DPA |
| AVV | German-language DPA | When working with German entities | Linguistic/local version of DPA |
When You Need Both DPA and SCCs
You need both a DPA and SCCs when:
- A controller in the EU engages a processor located outside the EEA (e.g., India, the U.S.).
- The processor’s location lacks an EU adequacy decision.
- Example Scenario:
A German company (controller) outsources HR analytics to an Indian vendor (processor).
You need:- AVV/DPA → to define roles and responsibilities under Art. 28.
- SCCs → to legitimize the international data transfer to India.
Often, SCCs are annexed to or integrated into the DPA to streamline documentation.
Final Tip for Clients or Drafting
- If you’re preparing GDPR documentation for EU to non-EU processing:
- Draft a DPA (or AVV) to meet Article 28 obligations.
- Attach SCCs as the legal mechanism for international transfers.
- Consider adding a Transfer Impact Assessment (TIA) to assess local laws in the recipient country.
3. International Transfers and DPAs: What You Need to Know
While a Data Processing Agreement (DPA) is a core requirement under Article 28 GDPR, it is not enough when personal data is transferred from the EU/EEA to a third country (i.e., a country without an adequacy decision). In such cases, additional safeguards are required to comply with Chapter V of the GDPR.
3.1 DPA as a Foundation – But Not Sufficient Alone
A DPA ensures that the relationship between the controller and processor is GDPR-compliant, detailing roles, responsibilities, and obligations.
However, it does not address the risks associated with transferring personal data internationally—especially when data moves outside the EU/EEA to jurisdictions without the same level of data protection (e.g., U.S., India, Philippines, etc.).
💡 Think of the DPA as the baseline contract. It governs processing wherever it occurs, but if the data is leaving the EU, you need additional legal mechanisms.
3.2 The Role of SCCs and BCRs in Cross-Border Transfers
To legally transfer personal data to countries without adequacy decisions, you must implement “appropriate safeguards” under Article 46 GDPR. The two most commonly used mechanisms are:
3.2.1. Standard Contractual Clauses (SCCs)
- SCCs are pre-approved legal templates provided by the European Commission.
- Bind the data exporter (EU-based) and importer (non-EU-based) to strict privacy obligations.
- Most widely used tool for EU → non-EU data transfers.
- Can be used in controller-to-processor, controller-to-controller, or processor-to-processor transfers.
When to use:
✔ You’re sending personal data to a third country without adequacy (e.g., hosting data in India or the U.S.).
3.2.2. Binding Corporate Rules (BCRs)
- Internal policies approved by EU regulators that allow multinational groups to make intra-group transfers.
- Designed for large organizations with complex internal data flows.
- Costly and time-consuming to set up, but very effective for long-term compliance.
When to use:
✔ You’re part of a multinational corporate group needing global intra-company data sharing.
3.3 The Tie-In With TIA (Transfer Impact Assessment)
Since the Schrems II judgment (2020), the mere use of SCCs is not sufficient. You must also conduct a Transfer Impact Assessment (TIA) to:
- Evaluate the laws and practices in the recipient country.
- Determine if the SCCs offer sufficient protection in practice.
- Identify if supplementary measures are needed (encryption, pseudonymization, etc.).
3.3.1 Why it matters:
If the legal environment in the destination country allows excessive government surveillance (e.g., U.S. under FISA 702), you must assess and mitigate this risk.
How It All Comes Together
| Document | Purpose | When Required |
|---|---|---|
| DPA | Defines controller–processor relationship | Always when using a processor |
| SCCs | Legal basis for international data transfer | When transferring data outside EEA to non-adequate countries |
| BCRs | Group-wide transfer mechanism | For multinational intra-group transfers |
| TIA | Risk assessment of third-country laws | Always when using SCCs (post-Schrems II) |
Practical Example
You run a SaaS company based in Germany. Your service stores customer data in AWS India.
What you need:
- DPA/AVV between your business and AWS as a processor.
- SCCs between your EU entity and AWS India.
- A TIA assessing Indian surveillance laws, AWS security controls, and whether encryption is sufficient.
Key Takeaways
- A DPA is essential for setting processor obligations—but it doesn’t authorize international transfers.
- Use SCCs or BCRs for lawful cross-border data flows.
- Always perform a Transfer Impact Assessment (TIA) when using SCCs.
- Supplementary technical and organizational measures may be needed based on TIA results.