What is a Data Processing Agreement?
A Data Processing Agreement (DPA) is a legally binding contract between a data controller (the organization that determines why and how personal data is processed) and a data processor (the organization that processes personal data on behalf of the controller). The GDPR requires in Article 28 that this agreement is documented in writing when you have personal data processed by a third party.
Think of your payroll administrator, cloud provider, email marketing tool, CRM vendor, or hosting party. All these parties process personal data on your behalf and require a DPA.
Mandatory content according to GDPR Article 28
The GDPR prescribes mandatory elements for every DPA. The subject matter and duration of processing must be described: which data is processed, about which data subjects, and for what period? The nature and purpose of processing must be documented. The categories of personal data and categories of data subjects must be specified.
Additionally, the DPA must contain the obligations and rights of the controller, as well as the obligation for the processor to process personal data solely based on written instructions from the controller. The processor must impose a confidentiality obligation on employees, implement appropriate technical and organizational measures, and request permission for engaging sub-processors.
Common mistakes with Data Processing Agreements
The most common mistake is simply copying a standard template without adapting it to the specific processing situation. Every DPA must describe which data is processed and why. A second mistake is not maintaining a register of processors — the GDPR requires you to know which parties process your personal data.
A third common mistake is not verifying whether your processor has actually implemented adequate security measures. A DPA is not a paper exercise but an active management document. Finally, the sub-processor clause is often forgotten or incomplete: if your cloud provider uses Amazon Web Services as a sub-processor, this must be documented and you must have given consent.
DPA and ISO 27001
ISO 27001 Annex A contains specific controls for supplier management (5.19–5.23) that directly align with DPA requirements. A well-implemented ISMS includes processes for identifying processors, assessing their security level, drafting and maintaining DPAs, and periodically reviewing compliance.
Organizations that are ISO 27001 certified typically have a structured process for DPAs. Our GRC platform includes a processor register and templates that help you systematically manage DPAs.
DPA for international transfers
When personal data is transferred to countries outside the EEA, additional safeguards are required. Since the Schrems II ruling, Standard Contractual Clauses (SCCs) are the most commonly used mechanism. These must be included as an annex to the DPA, along with a Transfer Impact Assessment evaluating whether the protection level in the receiving country is adequate.
Practical checklist
Use this checklist to assess your DPAs: are all mandatory elements from GDPR Article 28 present? Is the processing description specific enough? Is the processor's security level adequate and verified? Are sub-processors identified and approved? Is a data breach procedure included? Are audit and inspection agreements documented? Has the agreement been recently reviewed and is it still current?
How does iso2700x help?
Our privacy experts help you draft, review, and maintain DPAs. Through our GRC platform, you manage all DPAs centrally, with reminders for review dates and change management. Contact us for a free consultation.