GDPR Data Processing Agreements Explained
Quick Answer
A Data Processing Agreement (DPA) is a legally required contract under GDPR Article 28 between a data controller and data processor that defines how personal data will be processed, what security measures apply, and each party's obligations.
What Is a Data Processing Agreement?
A Data Processing Agreement (DPA) is a binding contract required by GDPR Article 28 between a data controller (the organization that determines why and how personal data is processed) and a data processor (the organization that processes data on the controller's behalf). Think of it as a GDPR-specific contract addendum that governs how your vendors handle personal data.
Key Takeaways
- A DPA is legally required before any processor handles personal data on your behalf
- Must include specific Article 28 provisions (not just any contract language)
- Required for SaaS vendors, cloud providers, analytics tools, and any third party processing personal data
- Controllers must ensure processors provide "sufficient guarantees" of GDPR compliance
- Sub-processors must be authorized and bound by equivalent obligations
Required DPA Provisions (Article 28)
Article 28 Mandatory Provisions
- Subject matter and duration of processing
- Nature and purpose of processing
- Type of personal data and categories of data subjects
- Processor only processes data on documented instructions from the controller
- Processor ensures confidentiality obligations on authorized personnel
- Processor implements appropriate technical and organizational security measures
- Conditions for engaging sub-processors (prior authorization)
- Processor assists controller with data subject rights requests
- Processor assists controller with security, breach notification, DPIAs, and consultation
- Processor deletes or returns all personal data at end of services
- Processor makes available all information necessary to demonstrate compliance
- Processor allows and contributes to audits and inspections
When Do You Need a DPA?
| Vendor/Service | DPA Required? | Notes |
|---|---|---|
| Cloud hosting (AWS, GCP, Azure) | Yes | All major providers offer standard DPAs |
| Email marketing (Mailchimp, SendGrid) | Yes | Processing email addresses and user data |
| Analytics (Google Analytics, Mixpanel) | Yes | Tracking and analyzing user behavior |
| CRM (Salesforce, HubSpot) | Yes | Storing customer personal data |
| Payment processor (Stripe) | Usually controller-controller | Stripe acts as independent controller for fraud prevention |
| Accounting software (QuickBooks) | Yes, if storing personal data | Employee/customer financial data |
| Social media advertising | Usually joint controllership | Complex: may need joint controller agreement instead |
Sub-Processor Management
If your processor uses sub-processors (which most SaaS companies do — their own cloud providers, analytics, etc.), the DPA must address this. You have two options:
Sub-Processor Authorization Approaches
Pros
- General authorization: processor can add sub-processors with prior notice (e.g., 30 days) and your right to object. More practical for SaaS vendors.
- Specific authorization: controller must approve each individual sub-processor. Maximum control but operationally challenging.
Cons
- General authorization: less control over who processes your data. Must monitor sub-processor changes.
- Specific authorization: creates operational bottleneck. Processors may refuse this approach.
✅ Use Standard DPA Templates
The European Commission has published Standard Contractual Clauses that include DPA provisions. Most major SaaS vendors (Google, Microsoft, Salesforce, AWS) offer pre-made DPAs that satisfy Article 28 requirements. Reviewing and signing these standard DPAs is usually faster and cheaper than negotiating custom agreements.
Article 28
GDPR Article
Defines DPA requirements
EUR 10M / 2%
Max Fine Without DPA
For processing without proper agreements
12
Required Provisions
Minimum elements per Article 28
30 days
Typical Sub-Processor Notice
Common period for sub-processor change notification
Is a DPA the same as an NDA?
No. An NDA covers confidentiality of business information. A DPA specifically addresses GDPR requirements for personal data processing — it includes provisions for data subject rights, security measures, breach notification, sub-processors, and audit rights that an NDA doesn't cover.
Who should draft the DPA — the controller or processor?
Either party can draft it. In practice, processors (especially SaaS vendors) typically offer their own DPA as part of their terms of service. As a controller, review the processor's DPA against Article 28 requirements and negotiate any missing provisions.
Can a DPA be part of the main service agreement?
Yes. A DPA can be a standalone document, an annex to the main contract, or integrated into the terms of service. The format doesn't matter — only the content. Most SaaS vendors include their DPA as a separate addendum.
What if a vendor refuses to sign a DPA?
If a vendor processes personal data on your behalf but refuses to sign a DPA, you cannot legally use them for that purpose. Consider: negotiating, using their standard DPA if available, or finding an alternative vendor that provides Article 28-compliant agreements.
Manage DPAs Efficiently
Find compliance tools that help you track, manage, and renew Data Processing Agreements.
Browse GDPR Tools