Data Processing Agreement: Complete Guide

Everything you need to know about Data Processing Agreements (DPAs), including when you need one, required clauses, and GDPR Article 28 requirements.

14 min read Updated April 2026

What Is a Data Processing Agreement?

A Data Processing Agreement (DPA) is a legally binding contract that establishes the rights and obligations between a data controller and a data processor regarding the processing of personal data. It ensures that personal data is handled in compliance with data protection laws, particularly the GDPR.

DPAs are essential because they allocate responsibility for data protection between parties. When you share personal data with another organization to process it on your behalf, a DPA ensures that organization protects that data adequately.

DPA Key Facts

  • Legal Basis: GDPR Article 28
  • Parties: Controller (you) and Processor (vendor)
  • Purpose: Define data processing rules and responsibilities
  • Required: When processing personal data on behalf of others
  • Enforcement: Can lead to regulatory fines if missing

When Do You Need a DPA?

You need a DPA whenever you engage another organization to process personal data on your behalf. This includes:

Common Scenarios Requiring DPAs

  • Cloud Services: SaaS platforms, cloud hosting, storage
  • Analytics: Google Analytics, Mixpanel, similar tools
  • Marketing: Email marketing platforms, CRM systems
  • Payment Processing: Payment gateways, processors
  • Customer Support: Helpdesk software, chat platforms
  • HR/Payroll: Payroll providers, HR systems
  • Development: Software vendors, IT support
  • Data Analysis: Data warehouses, BI tools

Key Question

Ask yourself: "Does this vendor process personal data on our behalf for a specific purpose?"

If yes, you likely need a DPA. This includes any service where:

  • The vendor accesses personal data you collect
  • The vendor processes data according to your instructions
  • The vendor determines how to process the data only as you direct

Important

Even free tools often process personal data and may require DPAs. Review your entire vendor stack, not just paid services, to ensure all data processing relationships are covered.

GDPR Article 28 Requirements

Article 28 of the GDPR specifies what must be included in a Data Processing Agreement. These are mandatory requirements, not suggestions.

Mandatory DPA Elements

Article 28(3) requires the processing to be governed by a contract (or other legal act) that includes:

1. Subject Matter and Duration

  • Subject matter: What the processing involves
  • Duration: How long processing will occur
  • Nature and purpose: Why the processing happens

2. Type of Personal Data and Data Subjects

  • Categories of data: What types of personal data
  • Data subjects: Whose data (employees, customers, etc.)
  • Special categories: Any sensitive or protected data

3. Controller's Rights and Obligations

The contract must specify that the controller:

  • Will only provide processing instructions that comply with law
  • Ensures data subjects can enforce their rights through the controller
  • Will make appropriate arrangements for lawful processing

4. Processor Obligations

The processor must commit to:

  • Process only on documented instructions
  • Ensure confidentiality of personnel
  • Implement appropriate security measures
  • Engage sub-processors only with controller consent
  • Assist controller with data subject requests
  • Assist with GDPR compliance (security, breach, DPIA)
  • Delete or return data at end of contract
  • Make information available for audits

Key Clauses Required in a DPA

A comprehensive DPA should include these essential clauses:

Essential Clauses

  • Definitions and interpretations
  • Subject matter and scope of processing
  • Duration of processing
  • Nature and purpose of processing
  • Categories of data subjects
  • Types of personal data
  • Controller obligations
  • Processor obligations

Operational Clauses

  • Data security and confidentiality
  • Personnel and training
  • Sub-processor authorization
  • Data subject rights assistance
  • Compliance assistance
  • Audit and inspection rights
  • Data breach notification
  • Data return and deletion

Data Security Requirements

Your DPA should specify appropriate technical and organizational measures, including:

  • Pseudonymization and encryption
  • Confidentiality, integrity, availability systems
  • Timely restoration capabilities
  • Regular testing of security measures

Breach Notification

Include requirements for:

  • Notification timeframe (typically 24-72 hours)
  • Information to be provided
  • Documentation requirements
  • Communication procedures

Controller vs Processor vs Sub-Processor

Understanding these roles is crucial for proper DPA drafting:

Data Controller

Determines the purposes and means of processing:

  • Decides why and how data is processed
  • Owns the data relationship with data subjects
  • Determines what data to collect
  • Must have lawful basis for processing
  • Responsible for compliance with data subject rights

Data Processor

Processes data on behalf of the controller:

  • Processes data only on controller's instructions
  • Cannot determine purposes of processing
  • Must follow DPA terms
  • Responsible to controller for compliance
  • Cannot engage another processor without consent

Sub-Processor

A processor engaged by another processor:

  • Engaged by the main processor (not controller)
  • Same obligations as processor under original DPA
  • Controller must be informed of changes
  • Original processor remains responsible to controller
Role Key Responsibility Signs DPA With
Controller Determines processing purposes Processor
Processor Processes on controller's instructions Controller + Sub-processors
Sub-processor Processes on processor's instructions Processor

Sub-Processor Management

When your processor engages sub-processors, you need protections:

Prior Authorization Requirement

Processors can only engage sub-processors with:

  • General written consent: Pre-authorized list of sub-processors
  • Specific written consent: Informed of each new sub-processor

Chain of Liability

The processor remains fully responsible to the controller for:

  • Sub-processor's performance
  • Sub-processor's compliance with DPA terms
  • All data protection obligations

Your DPA Should Require

  • Notification of new sub-processors
  • Opportunity to object
  • Contractual restrictions on sub-processors
  • Right to audit sub-processors

Best Practice

Maintain a list of approved sub-processors and review it quarterly. When processors add new sub-processors, ensure your contract gives you adequate notice and objection rights before processing begins.

International Data Transfers in DPAs

When processors transfer data outside the EU/EEA, additional provisions are needed:

Transfer Mechanisms

Your DPA should address how international transfers are handled:

  • EU Standard Contractual Clauses (SCCs): Required for transfers without adequacy
  • Binding Corporate Rules (BCRs): For intra-group transfers
  • Adequacy Decisions: Countries with EU-approved protections
  • Transfer Impact Assessments: Evaluate destination country's law

DPA Transfer Provisions

Include in your DPA:

  • Representation that transfers comply with law
  • Description of transfer mechanisms used
  • Requirements for supplementary measures
  • Notification of legal changes affecting transfers
  • Deletion/return if transfer becomes illegal

Post-Schrems II Considerations

Following the Schrems II ruling that invalidated the EU-US Privacy Shield:

  • Conduct transfer impact assessments
  • Implement technical and organizational supplementary measures
  • Monitor for new adequacy decisions
  • Consider EU-US Data Privacy Framework when available

DPA Best Practices

Follow these practices to ensure adequate data protection:

1. Inventory Your Processors

  • Map all vendors that process personal data
  • Categorize by data sensitivity and risk
  • Prioritize high-risk processors
  • Review contracts annually

2. Review Standard Contract Terms

  • Many vendors offer "standard" DPAs
  • Review for compliance with Article 28
  • Negotiate changes where needed
  • Don't accept terms that limit your rights

3. Ensure Adequate Security

  • Specify appropriate security measures
  • Require encryption where possible
  • Include audit rights
  • Require breach notification timelines

4. Document Everything

  • Keep signed DPAs on file
  • Document processing activities
  • Maintain records of sub-processors
  • Track contract renewal dates

5. Conduct Due Diligence

  • Review vendor security practices before signing
  • Check for certifications (ISO 27001, SOC 2)
  • Assess data handling procedures
  • Verify sub-processor management

6. Plan for Termination

  • Include data return/deletion provisions
  • Specify return format and timeline
  • Address post-termination data handling
  • Include transition assistance requirements

Analyze Your Privacy Policy

Use PolicyLens to verify your privacy policy addresses data processing relationships and that your vendor contracts include required DPA provisions.

Analyze Your Policy Free