Data Processing Agreement (DPA) and when is it required under GDPR
A Data Processing Agreement is one of the most common — and most misunderstood — elements of GDPR. Most organizations know they “should have one”. But far fewer understand when it is actually required and what it means in practice. And this is where mistakes begin.
See how data processing agreements fit into the full GDPR implementation process: How to implement GDPR in a small business – step-by-step guide
What is a Data Processing Agreement?
A Data Processing Agreement (DPA) is a legally binding contract between a data controller and a data processor. It defines how personal data is processed, what responsibilities each party has, and how data is protected. Under GDPR, this is not optional. Whenever a processor handles personal data on behalf of a controller, a contract must be in place.
This requirement comes directly from Article 28 GDPR.
Controller vs processor – why it matters
To understand when a DPA is needed, the distinction between controller and processor is essential. The controller decides why and how personal data is processed. The processor, on the other hand, processes data only on behalf of the controller.
In practice, most organizations act as controllers and rely on external providers — such as cloud services, accounting firms or SaaS platforms — to process data for them. And this is exactly where a DPA becomes necessary.
The real issue: organizations don’t see the processing
The biggest problem is not the lack of contracts. It is the lack of awareness.
Organizations use multiple tools and vendors every day. Data flows through systems, integrations and external services — often without a clear understanding of who is processing it and on whose behalf.
As a result, DPAs are either missing or signed without real analysis.
When is a DPA required?
A Data Processing Agreement is required whenever personal data is processed by a third party on behalf of the organization. This includes situations where external providers store, analyze or otherwise handle personal data as part of a service. Typical examples include cloud storage, payroll services, CRM systems or email platforms.
If a third party processes data based on your instructions, a DPA is required.
The most common mistake: confusing roles
One of the most frequent errors is misunderstanding the role of the other party. Not every external provider is a processor. If a third party determines its own purposes and means of processing, it may act as a controller — or even a joint controller.
And in such cases, a DPA is not the correct solution.
This is why identifying roles correctly is more important than simply signing documents.
What should a DPA include?
A proper Data Processing Agreement should clearly define the scope and rules of processing. It must specify the subject matter, duration, nature and purpose of processing, as well as the type of personal data and categories of data subjects.
It should also outline the obligations of the processor, including acting only on documented instructions, ensuring confidentiality and implementing appropriate security measures.
These elements are not optional — they are required by GDPR.
A DPA is not a “sign and forget” document
Many organizations treat DPAs as formalities. They sign contracts with vendors and assume the obligation is fulfilled. In reality, the responsibility does not end with signing. Controllers must ensure that processors actually comply with GDPR requirements and that data is handled as agreed.
Without ongoing oversight, the contract alone provides little protection.
Why managing DPAs becomes difficult
As organizations grow, the number of vendors increases.
Each new tool, system or service may involve personal data processing. Keeping track of all agreements, verifying their scope and ensuring consistency becomes increasingly complex.
Over time, organizations lose visibility over:
- who processes their data
- under what terms
- and whether proper agreements are in place
This is where compliance gaps appear.
How to manage DPAs in practice
Organizations that manage DPAs effectively do not treat them as isolated documents. Instead, they connect agreements with actual processing activities and maintain a clear overview of all processors involved. This includes knowing which vendors process data, what type of data is involved and how responsibilities are defined.
The goal is not just to have agreements, but to understand them.
DPAs as part of a broader GDPR system
A Data Processing Agreement is closely connected with other GDPR elements. It relies on understanding processing activities, data retention, access control and risk assessment. Without these connections, even a properly drafted agreement may not reflect reality.
DPAs only make sense when they are part of a larger, structured approach.
See how to manage processors, contracts and GDPR obligations in one system
DPAs and GDPR audits
During audits, authorities often review relationships with processors. They want to verify whether agreements exist, whether they meet GDPR requirements and whether the organization understands its role. Missing or inadequate DPAs are one of the easiest issues to identify.
And one of the most common.
Summary
A Data Processing Agreement is not just a formal contract. It is a key element of GDPR compliance that defines how personal data is handled between organizations. The biggest risk is not failing to sign a contract, but failing to understand when it is required and what it actually means.
The difference lies in whether the organization treats DPAs as paperwork or as part of a real process.
