Skip to main content
Datenschutz / DSGVO

Data Processing Agreement (DPA)

A contractual arrangement required by Art. 28 GDPR whenever a service provider processes personal data on behalf of a controller.

Data processing (as a contractual relationship) occurs when an external service provider processes personal data solely on the instructions of the controller and has no independent decision-making power over the purposes and means of the processing. Typical examples include cloud hosting providers, external payroll services, email marketing platforms, and IT support companies with access to systems containing personal data. Under Art. 28 GDPR, this relationship must be governed by a contract or other legal instrument — the Data Processing Agreement (DPA).

A valid DPA must contain certain mandatory elements: the subject matter, duration, nature, and purpose of the processing; the type of personal data and categories of data subjects; and the obligations and rights of the controller. In addition, the processor must commit to acting only on documented instructions from the controller, implementing appropriate technical and organisational measures, and engaging sub-processors only with the controller's explicit authorisation.

For compliance officers, DPA management is an ongoing responsibility. Every time a new SaaS tool or external service provider with access to personal data is onboarded, you must assess whether data processing is taking place and whether a valid DPA is in place. The absence of a DPA constitutes a breach of Art. 28 GDPR and can result in significant fines. Existing DPAs must also be reviewed regularly to ensure they remain accurate and complete — particularly when the vendor's sub-processor list changes.

Legal Basis

Art. 28 GDPR

Practical Example

Your organisation is rolling out a new HR software solution delivered as a cloud SaaS product that stores employee data including payroll records, leave balances, and sick notes. As compliance officer, you review the vendor's draft DPA and notice that the list of sub-processors is missing. You request it under Art. 28(4) GDPR before signing. Only once the complete DPA — including the sub-processor list — has been signed do you approve the system for production use and add the processing activity to the ROPA.

FAQ

You need a DPA whenever an external service provider processes personal data on your behalf without independent control over the purposes and means of processing. This applies to cloud services, external IT providers, marketing agencies, and many other vendors.
The absence of a DPA constitutes a breach of Art. 28 GDPR and can result in fines of up to €10 million or 2% of global annual turnover. The controller may also be held liable for the processor's data protection violations if no valid contract is in place.
Yes, but only with the controller's explicit written authorisation. The processor must impose the same data protection obligations on the sub-processor and remains fully liable to the controller for the sub-processor's compliance.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Record of Processing Activities (ROPA) Technical and Organisational Measures (TOMs) Data Protection Officer (DPO) Third Country Transfer Joint Controllership
Back to Glossary