What Is a Data Processing Agreement and Who Needs One?

The Document Almost Every Business Is Missing

If your business uses any of the following, you are required to have a Data Processing Agreement (DPA) in place:

That list covers the vast majority of modern businesses. If you process EU or UK personal data and use any of these tools — and have not signed a DPA with each provider — you are in breach of GDPR Article 28. Not potentially. Definitively.

What Is a Data Processing Agreement?

A Data Processing Agreement is a legally binding contract between two parties:

The DPA governs the relationship between them: what data is processed, why, for how long, under what security conditions, and what happens when the arrangement ends.

Under GDPR Article 28 and UK GDPR Article 28, every controller-processor relationship involving personal data must be covered by a written DPA. There are no exceptions based on company size, contract value, or frequency of processing.

Controller vs Processor: Understanding the Distinction

The distinction matters because it determines who carries which legal obligations.

You are a Controller when:

You are a Processor when:

You can be both simultaneously. A SaaS company is a controller for its own employee data and a processor for its customers' data.

When you are a processor, your clients must provide you with a DPA — and you must sign it. When you use processors, you must provide them with a DPA.

What Must a DPA Contain Under Article 28?

GDPR is specific about what a DPA must address. A compliant DPA must include:

1. Subject matter and duration

What personal data is being processed and for how long the processing arrangement lasts.

2. Nature and purpose of processing

The specific activities the processor carries out (e.g. storing email addresses, sending marketing campaigns, processing payments) and why.

3. Type of personal data and categories of data subjects

The categories of data (names, emails, financial data, health data) and who the data relates to (customers, employees, website visitors).

4. Controller's obligations and rights

The processor acts only on documented instructions from the controller. If the processor believes an instruction violates GDPR, it must inform the controller.

5. Confidentiality commitment

Anyone processing the data must be under a legally binding confidentiality obligation.

6. Security measures

The processor must implement appropriate technical and organisational security measures (Article 32). The DPA must specify or reference these measures.

7. Sub-processors

The processor may not engage sub-processors without the controller's prior written authorisation. A list of approved sub-processors must be maintained and updated. This is one of the most frequently overlooked requirements — every vendor your vendor uses to process your data must also be covered.

8. Data subject rights assistance

The processor must assist the controller in responding to data subject requests (access, erasure, portability) within the required timeframes.

9. Breach notification

The processor must notify the controller without undue delay upon becoming aware of a personal data breach — allowing the controller to meet the 72-hour notification requirement to their DPA.

10. End-of-contract handling

On termination, the processor must either delete or return all personal data, at the controller's option, and confirm in writing that this has been done.

11. Audit rights

The controller must have the right to audit the processor's compliance, or to require the processor to provide evidence of compliance (e.g. ISO 27001 certification, SOC 2 reports).

The Sub-Processor Problem

Sub-processors are the vendors that your vendors use. This is where most businesses have gaps they are completely unaware of.

Example: You use Mailchimp to send newsletters. Mailchimp uses AWS to host its infrastructure. AWS is a sub-processor. Mailchimp's DPA with you should cover its use of AWS. But if Mailchimp adds a new sub-processor — say, a new analytics tool — you should be notified and have the right to object.

Major platforms like Google, Stripe, and Microsoft publish their DPAs publicly and maintain sub-processor lists. For smaller vendors, you may need to request this information.

Practical step: When onboarding any new vendor, always check whether they have a published DPA and sub-processor list. If they don't, request one before sharing any personal data.

When You Are the Processor — What You Need

If you provide services where you access or process your clients' customer data, you need to provide your clients with a DPA. This applies to:

Without a DPA, your clients are non-compliant — and increasingly sophisticated procurement teams and enterprise clients will refuse to work with vendors who cannot provide one.

Common DPA Mistakes

Mistake 1 — Relying on a vendor's terms of service as a substitute

Terms of service are not DPAs. They cover commercial terms. A separate DPA specifically covering Article 28 obligations is required.

Mistake 2 — Not updating the sub-processor list

GDPR requires processors to inform controllers of any changes to sub-processors. If your DPA has a fixed sub-processor list from 2022, it is almost certainly outdated.

Mistake 3 — No audit mechanism

A DPA that gives you no right to audit or obtain compliance evidence from your processor is not compliant with Article 28(3)(h).

Mistake 4 — No international transfer mechanism

If your processor is located outside the EU/EEA or UK, the DPA must be supplemented with an appropriate transfer mechanism — EU Standard Contractual Clauses, UK IDTA, or a transfer impact assessment. A DPA alone is insufficient.

Mistake 5 — Signing a DPA without reading it

Many businesses accept vendor DPAs without reviewing them. Key things to check: sub-processor approval process, breach notification timescales, data deletion procedures, and audit rights.

The Real Cost of Missing DPAs

In January 2023, the Belgian DPA fined an organisation €50,000 for failing to have DPAs in place with its processors. In 2024, multiple fines across Europe were specifically linked to absent or inadequate processor contracts.

Beyond regulatory fines, missing DPAs create practical problems: if a breach occurs at your processor and you have no DPA, you have no contractual right to breach notification — leaving you exposed to regulatory action with no warning.

Start With Your Top 10 Vendors

You do not need to tackle every vendor at once. Start with the processors that handle the most sensitive or voluminous personal data:

Check each one for a published DPA. Sign it. Document it. Move to the next.

Need a DPA drafted for your own services or reviewed for a vendor relationship? Our legal team produces GDPR-compliant Data Processing Agreements tailored to your specific processing activities — ready in 24-48 hours.