What is a data processing agreement (DPA)?

A Data Processing Agreement (DPA) is a contract that sets out the terms governing how a processor will handle personal data on behalf of a controller. It is the legal foundation for GDPR-compliant data processing when one organisation processes data for another. Without a DPA in place, the processor is operating outside the GDPR's authorisation framework, exposing both the controller and the processor to enforcement action and liability.

When is a DPA required under GDPR? Article 28(1) mandates that any processor acting on behalf of a controller must be bound by a contract or other legal act that sets out the processor's obligations. In practice, this means a DPA is required whenever a third party will process personal data on your instruction—whether that third party is a cloud provider, a service vendor, or a subprocessor. A DPA is not optional; it is a regulatory requirement.

What must a DPA include? GDPR Article 28(3) lists eight mandatory terms: (a) the processor processes data only on instruction from the controller; (b) staff are bound by confidentiality obligations; (c) appropriate security measures are in place under Article 32; (d) sub-processor conditions are specified; (e) the processor assists the controller in fulfilling data subject rights; (f) the processor assists the controller in meeting its Article 32–36 obligations (security, breach notification, transparency, impact assessments, and consultation); (g) personal data is deleted or returned at the end of service; (h) the processor provides information and cooperation with audits and inspections. These eight obligations form the backbone of every DPA.

There are two main types of DPA: controller-to-processor and processor-to-subprocessor. A controller-to-processor DPA is signed between your customer (as controller) and you (as processor). A processor-to-subprocessor DPA is signed between you (as processor) and one of your vendors (as subprocessor). Both must contain the eight mandatory Article 28(3) terms. If you are a processor, you must ensure all your subprocessors are bound by the same obligations, either directly or through flow-down clauses.

Standard Contractual Clauses (SCCs) and international transfers add another layer. When a processor is located outside the European Economic Area, or sends data to a non-EEA country, the controller and processor must put additional safeguards in place. The EU-approved Standard Contractual Clauses are contractual terms designed to provide an adequate level of protection for international transfers. If a DPA involves cross-border transfers, it must include or reference the appropriate SCCs.

Using a DPA template is a practical starting point. Data protection authorities, industry bodies, and many SaaS vendors publish DPA templates. Rather than drafting from scratch, most organisations start from a reputable template, customise it for their specific processor-subprocessor relationships, and have both parties sign. This is faster, more reliable, and reduces the risk of accidentally omitting a mandatory term.