A data processing agreement (DPA) under Article 28 GDPR is a mandatory contract that governs the processing of personal data by external service providers under your instructions and covers eight mandatory content elements.
Imagine your company uses a cloud service for customer management or a newsletter tool for marketing. The provider stores and processes names, email addresses, and other personal data. In this scenario, you are the controller, and the provider is your processor. A data processing agreement (DPA) under Article 28 of the General Data Protection Regulation (GDPR) defines the rights and obligations of both parties. It is not a mere formality but a key instrument to maintain control over your data and avoid liability risks.
Our position: A DPA is not a checkbox exercise. It creates clarity about instruction binding, technical security, and the handling of sub-processors. Taking it seriously protects you from fines and loss of trust.
When is a DPA mandatory?
A DPA is legally mandatory as soon as an external service provider, such as a cloud provider or call center, processes personal data under your instructions. The GDPR distinguishes between the controller and the processor. The controller (typically your company) decides on the purpose and means of data processing. The processor acts on your instructions. As soon as an external service provider stores, transmits, or otherwise uses personal data for you, processing occurs. Typical examples include IT service providers, cloud vendors, payroll companies, or call centers.
The distinction matters: if the service provider pursues its own purposes, for instance using the data for its own market research, it is not a processor but a separate controller. In that case, you need a different legal basis, such as consent. When in doubt, the guidance from the European Data Protection Board (EDPB Guidelines 07/2020) helps clarify the concept of processing.
What the DPA must contain
A DPA under Article 28(3) GDPR must cover the following eight mandatory content elements:
- Subject matter and duration of the processing
- Nature and purpose of the data
- Categories of data subjects and data
- Controller's right to give instructions
- Processor's obligation to maintain confidentiality
- Technical and organizational measures (TOMs) under Article 32 GDPR, i.e., practical safeguards such as encryption, access controls, or backup concepts that protect the data
- Rules on sub-processors
- Assistance with data subject rights (access, erasure, rectification) and obligation to delete or return data after the contract ends
The processor must also provide evidence of compliance with TOMs, such as certificates or audit reports. If any of these points are missing, the contract is not GDPR-compliant.
Securing third-country data transfers
Third-country transfers under Articles 44-49 GDPR require, in addition to the DPA, standard contractual clauses under Commission Implementing Decision (EU) 2021/914 and a transfer risk assessment (TRA). In its Schrems II ruling (2020), the Court struck down the simple data transfer agreement with the US (Privacy Shield) because US surveillance laws could undermine EU data protection. A mere adequacy decision is therefore not always sufficient. Proceed as follows:
- Check whether an adequacy decision by the EU Commission exists for the third country, e.g., the EU-US Data Privacy Framework (2023).
- Conclude standard contractual clauses (SCCs) under Commission Implementing Decision (EU) 2021/914, these are pre-formulated contract modules from the EU Commission that contractually establish data protection for data transfers.
- Conduct a transfer risk assessment (TRA). In this assessment, you evaluate whether the laws of the third country could undermine the protection of the clauses, for instance through surveillance powers.
- If the risk is high, take supplementary measures in line with the EDPB Recommendations 01/2020, such as encryption or contractual assurances.
Our position: Many companies underestimate the effort required for third-country transfers. A TRA is not a one-time document but must be updated regularly. We consider it negligent to rely solely on standard contractual clauses without examining the specific legal landscape in the destination country.
Managing sub-processors
Under Article 28(2) GDPR, sub-processors may only be engaged with your prior consent as the controller; you bear ultimate responsibility even for sub-service providers. Many processors work with sub-service providers themselves, such as a data center operator. The DPA must specify whether and under what conditions the processor may engage sub-processors. This can be a general consent for certain categories, combined with the processor's obligation to inform you of changes. Alternatively, you can require case-by-case consent.
The processor must ensure that the sub-processor complies with the same data protection obligations. This is done through a further DPA between the processor and the sub-processor. You as the controller bear ultimate responsibility: if the sub-processor violates the GDPR, the supervisory authority may hold you liable. Therefore, we recommend reviewing the list of sub-processors regularly and requesting updates when needed.
Regularly review the DPA
An existing DPA should be reviewed at least once a year, especially when TOMs change, sub-processors are replaced, or new third-country links arise. Business relationships change, new technologies emerge, and the legal landscape evolves. A DPA signed years ago may now be incomplete. Supervisory authorities expect you as the controller to actively monitor compliance with the DPA. This means requesting evidence, such as TOM documentation or audit reports, and documenting your review.
Our position: A DPA is a living document. Filing it away and forgetting it wastes security. We believe regular review is the decisive factor in minimizing liability risks. This article provides general guidance but does not replace individual legal advice. For specific questions, consult a data protection officer or a specialized law firm.