Data processing Agreement (DPA)

Data Processing Agreement (DPA)

Why businesses need Data Processing Agreement (DPA)? It’s practically not possible to run a business without processing personal data and exchanging it with other businesses. It may be website analytics software, cloud storage, CRM or marketing platform, and whether you are controller, processor, sub-processor or joint controller, you have to construct a lawful Data Processing Arrangement with the party you exchange personal information. 

GDPR does not have legal restrictions on the form of the Data Processing Agreement, however, if processor is located outside EU and international data transfer happens, there are some specific requiremens to the format of documentation, for example standard contractual clauses, coprorate binding rules., etc. 

Considering the complexity of the task, it’s advisable to have a data processing agreement as a separate document. 

Do I need to have a Data Processing Agreement?

If you exchange personal data with other parties, you should have a Data Processing Agreement in place. Articles 28 through 36 of the GDPR cover the requirements for data processing and data processing agreements. Let’s have a look at a bit more specific responsibilities of different roles. 


 The controller is responsible for establishing a lawful data process and observing the rights of data subjects. The controller defines the way how data processing takes place and at what conditions. The controller must have a data processing agreement with its processors. 


The data processor should handle the data exclusively in the manner demanded by the controller.  Processor must have adequate information security in place, shouldn’t use sub-processors without the knowledge and consent of the controller, must cooperate with the authorities in the event of an enquiry, must report data breaches to the controller as soon as they become aware of them, must give the data controller the opportunity to carry out audits examining their GDPR compliance, must help the controller to comply with data subjects’ rights, must assist the data controller in managing the consequences of data breaches, must delete or return all personal data at the end of the contract at the choice of the controller, and must inform the controller if the processing instructions infringe GDPR. 


 Sub-processor performs data processing on behalf of the processor. Data processors should have a data processing agreement with any sub-processors they use. The processor shouldn’t engage sub-processors without the prior consent of the controller.

Joint Controller

 Article 26 defines joint controllers as two or more controllers jointly determining the purposes and means of processing. Regardless of those arrangements, each controller remains responsible for complying with all the obligations of controllers under the GDPR. Joint controllers are not required to have a contract, but you must have a transparent arrangement that sets out your agreed roles and responsibilities. Such information should be available to data subjects.

What should be included in a data processing agreement?

Articles 28 through 36 of GDPR set conditions of data exchange and conditions of personal data between controller and processors. Here are the most important subjects you have to cover in your data processing agreement.

Details about processing

  • the subject matter and duration of the processing;
  • the nature and purpose of the processing;
  • the type of personal data and categories of data subject;
  • purpose and legal basis of personal data processing;
  • the controller’s and processor’s rights and responsibilities.

Minimum required terms

The processor must act in accordance with written instructions of the controller

The agreement must say that the processor may only process personal data in line with the controller’s documented instructions (including when making an international transfer of personal data) unless it is required to do otherwise by EU or member state law.

An instruction can be documented by using any written form, including email. The instruction must be in a reproducible form, so that there is a record of the instruction.

This contract term should make it clear that it is the controller, rather than the processor, that has overall control of what happens to the personal data.

If a processor acts outside of the controller’s instructions in such a way that it decides the purpose and means of processing, then it will be considered to be a controller in respect of that processing and will have the same liability as a controller.

Confidentiality of processed personal data

The agreement has to say that the processor must obtain a commitment of confidentiality from anyone it allows to process the personal data, unless that person is already under such a duty by statute.

This contract term should cover the processor’s employees as well as any temporary workers and third-party workers who have access to the personal data.

Obligation to have adequate information security in place, technical and organisational measures to be met

The agreement has to oblige the processor to take all security measures necessary to meet the requirements on the security of processing  (see Article 32).

Both controllers and processors are obliged to put in place appropriate technical and organisational measures to ensure the security of any personal data they process which may include, as appropriate:

  • encryption and pseudonymisation;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore access to personal data in the event of an incident; and
  • processes for regularly testing and assessing the effectiveness of the measures.

Codes of conduct and certification may help processors to demonstrate sufficient guarantees that their processing will comply with the GDPR.

The requirement to use sub-processors only with the data controller’s knowledge and consent

The agreement must say that:

  • the processor should not engage a sub-processor without the controller’s prior specific or general written authorisation;
  • if a sub-processor is employed under the controller’s general written authorisation, the processor should let the controller know of any intended changes and give the controller a chance to object to them;
  • if the processor employs a sub-processor, it must put a contract in place imposing the same data protection obligations on that sub-processor;
  • the processor is liable to the controller for a sub-processor’s compliance with its data protection obligations.

Cooperation of processor for the purpose of resolving subject access requests

The agreement has to provide for the processor to take appropriate technical and organisational measures to help the controller respond to requests from individuals to exercise their rights.

Cooperation of processor for the purpose of protecting the rights and privacy of data subjects

The agreement has to say that, taking into account the nature of the processing and the information available, the processor must assist the controller in meeting its obligations to:

The agreement should be as clear as possible about how the processor will help the controller meet its obligations.

Duration of the processing and returning and/or deletion of personal data

The agreement has to say that at the end of the contract the processor must:

  • at the controller’s choice, delete or return to the controller all the personal data it has been processing for it; and
  • delete existing copies of the personal data unless EU or Member State law requires it to be stored.

It should be noted that deletion of personal data should be done in a secure manner, in accordance with the security requirements of Article 32. 

The agreement has to include these terms to ensure the continuing protection of the personal data after the contract ends. This reflects the fact that it is ultimately for the controller to decide what should happen to the personal data being processed, once processing is complete.

The processor should allow the data controller to carry out audits examining their compliance

Under Article 28(3)(h) the agreement has to require:

  • the processor to provide the controller with all the information that is needed to show that the obligations of Article 28 have been met; and
  • the processor to allow for, and contribute to, audits and inspections carried out by the controller, or by an auditor appointed by the controller.

This provision obliges the processor to be able to demonstrate compliance with the whole of Article 28 to the controller. For instance, the processor could do this by giving the controller the necessary information or by submitting to an audit or inspection.

Keeping records of the processing activities would be useful for the processor to demonstrate compliance with Article 28. Requirements for processors to maintain records of their processing activities are set out in Article 30(2). 

Other requirements

If required by GDPR, the data processor shall appoint a Data Protection Officer and both parties must agree on periodic review of terms of the agreement. 

Need registry of data processing agreements?

Sign up for 14-day Free Trial! No credit card needed. No obligations.
Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

Try our GDPR Compliance Tool GDPR Register for 14-days.

No credit card required.

Latest Posts
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

Why businesses need Data Processing Agreement (DPA)? It’s practically not possible to run a business without processing personal data and...
GDPR checklist for controllers

GDPR checklist for controllers

This is a simple GDPR compliance checklist for controllers that you can use to ensure you have considered most important...
GDPR Basics: Are you a Controller or a Processor?

GDPR Basics: Are you a Controller or a Processor?

What are ‘controllers’ and ‘processors’? With this short and simple article, we will try to explain the basics of controllers...
Templates for Records of Processing Activities

Templates for Records of Processing Activities

As we see every day, most companies and organisations still keep their Records of Processing Activities in spreadsheets. Through our...
Web plug-in requires visitor’s consent

Web plug-in requires visitor’s consent

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind...
First GDPR fine issued in Lithuania

First GDPR fine issued in Lithuania

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’,...
Finnish DPA ordered a company to change their data processing practises

Finnish DPA ordered a company to change their data processing practises

An article was published recently in the Helsingin Salomat about the Finnish Data Protection Authority who had ordered a payment and...
Data Protection Officer’s role and responsibilities

Data Protection Officer’s role and responsibilities

In light of the latest survey conducted by the CPO Magazine, we are looking into the role of the Data...
GDPR Compliance Checklist for 2020

GDPR Compliance Checklist for 2020

Just recently, a report was published based on a survey of 252 global privacy professionals working for a wide range...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What do companies have to include in the records of processing activities? GDPR requires companies to keep an internal record,...

Zpracovává vaše společnost osobní údaje?

Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje


Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 

Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?

Kas teie ettevõte kogub ja töötleb isikuandmeid?

Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?

Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data