When organizations share personal data with third-party service providers, the GDPR requires a formal data processing agreement (DPA) to govern how that data is handled. Understanding DPA requirements is essential for any business using external tools or services that touch personal data.

What Is a Data Processing Agreement?

A DPA is a legally binding contract between a data controller (the organization that determines why and how data is processed) and a data processor (the third party that processes data on the controller's behalf). Common processor relationships include cloud hosting providers, email services, analytics tools, and payment processors.

Key Requirements

DPAs must specify the subject matter and duration of processing, the nature and purpose of processing, the types of personal data involved, and the categories of data subjects. They must also include binding obligations on the processor: processing data only on documented instructions from the controller, ensuring staff confidentiality, implementing appropriate security measures, assisting with data subject requests, deleting or returning data upon contract termination, and allowing audits.

Sub-Processors

When a processor engages another processor (a sub-processor), the original processor must obtain authorization from the controller. The DPA should address sub-processor management, including notification requirements and liability.

Practical Implications

Many businesses underestimate their DPA obligations. Every SaaS tool, cloud service, or third-party integration that accesses personal data requires a DPA. Organizations should audit their vendor relationships, ensure DPAs are in place for all processors, and regularly review these agreements to ensure they reflect actual data processing practices.

Failure to maintain proper DPAs can result in GDPR fines and leaves organizations exposed if a processor causes a data breach.