Every organization that uses third-party services to process personal data needs Data Processing Agreements. Under GDPR Article 28, this is not optional — it is a legal requirement. Yet DPAs remain one of the most mismanaged aspects of privacy compliance.
The problem is not awareness. It is execution: incomplete agreements, missing sub-processor clauses, unsigned contracts sitting in inboxes, and no systematic way to track which vendors have valid DPAs in place.
Controller vs. Processor: Getting the Basics Right
Before drafting a DPA, determine the relationship. Misclassification is one of the most common GDPR compliance failures.
Controller: Determines the purposes and means of processing — you decide why and how personal data is processed.
Processor: Processes personal data on behalf of the controller, following your instructions.
Joint controllers: Two or more parties jointly determine purposes and means, requiring a different agreement under Article 26.
The classification is based on actual processing activities, not what a vendor calls themselves. A payroll provider running your payroll is a processor. An analytics platform using your data to improve its own products may be a joint controller.
Watch for these common misclassifications:
- Cloud infrastructure providers (usually processors, but check their terms)
- Analytics tools aggregating data across customers (potentially joint controllers)
- AI services using input data for model training (likely joint controllers unless training is disabled)
- Payment processors (often independent controllers for fraud prevention)
What GDPR Article 28 Requires
The regulation is specific about what a DPA must contain:
- Subject matter and duration of the processing
- Nature and purpose of the processing
- Type of personal data and categories of data subjects
- Obligations and rights of the controller
- Processor obligations: process only on documented instructions, ensure confidentiality, implement Article 32 security measures, respect sub-processor conditions, assist with data subject rights and breach notification, delete or return data after services end, and allow audits
The Sub-Processor Problem
Article 28(2) requires processors not to engage another processor without your prior authorization. Most SaaS vendors use dozens of sub-processors. Your DPA must address how you will be notified of changes, your right to object, and what happens if you do.
Check your vendors' sub-processor lists regularly. A vendor adding a sub-processor in a non-EU jurisdiction without adequate safeguards directly affects your compliance posture.
DPA Pitfalls That Trigger Enforcement
Regulators have fined organizations for DPA failures. These are not theoretical risks.
Missing DPAs entirely. The Danish DPA fined a municipality for using a cloud service without a DPA — not for a breach, just for the absence of a valid agreement. Your data inventory should flag every processor relationship and whether a DPA exists.
Template DPAs that do not match reality. A generic DPA that says the processor handles "contact details" when they actually process health data is materially inaccurate and non-compliant.
Unsigned or expired DPAs. A DPA sent but never countersigned is not valid. Track signature status and expiry dates.
No sub-processor oversight. Several enforcement actions targeted organizations with DPAs for direct processors but no oversight of sub-processors. Under GDPR, you are responsible for the entire chain.
Inadequate transfer mechanisms. Since Schrems II, DPAs involving transfers to countries without adequacy decisions must include Standard Contractual Clauses or another valid mechanism. Many organizations updated primary DPAs but forgot sub-processor transfers.
Building a DPA Management Process
Step 1: Map Your Processors
Start with your data inventory. For each processing activity, identify which third parties are involved, their role, what personal data they access, where they process it, and whether a DPA is in place.
Step 2: Prioritize by Risk
Not all processor relationships carry equal risk. Prioritize by volume of personal data, sensitivity (special category data first), transfer destinations (non-EU processors need additional safeguards), and access level.
Step 3: Use the Right Template
The European Commission's 2021 SCCs provide a solid foundation. Supplement with specific security measures, concrete breach notification timelines (specify hours, not just "without undue delay"), feasible audit procedures, and data deletion verification mechanisms.
Step 4: Track and Review
DPAs are not sign-and-forget documents:
- Quarterly: Check sub-processor lists for changes
- Annually: Review DPA terms against actual processing
- On change: Update when processing activities change or you expand into new jurisdictions
- On incident: Review terms when a vendor experiences a security event
Step 5: Document Everything
Every DPA decision is compliance evidence. Capture execution dates, sub-processor notifications, transfer risk assessments, and audit results. An evidence vault that systematically captures these artifacts is more reliable than scattered email threads.
DPAs by Vendor Category
Cloud infrastructure (AWS, Azure, GCP): Generally comprehensive standard DPAs. Verify EU region enforcement, sub-processor notifications, and data deletion upon termination.
SaaS applications: Quality varies widely. Common gaps include vague security commitments, broad sub-processor authorization without notification, and unlimited data retention after contract termination. Review vendor profiles for privacy compliance posture.
AI and ML services: Unique challenges — does the provider use your data for training (making them a joint controller)? Where are prompts and outputs stored? Verify retention periods for abuse monitoring.
Analytics and marketing tools: These often blur the controller/processor line. If the tool aggregates your data with other customers' data for its own purposes, it is likely a joint controller.
International Transfers
Post-Schrems II, DPAs involving non-EU processors must address transfers explicitly:
- EU-US Data Privacy Framework: Verify active certification on the DPF website
- Standard Contractual Clauses: For other non-adequate countries, incorporating a Transfer Impact Assessment
- Supplementary measures: Encryption with EU-held keys, organizational policies, notification commitments
Track which vendors transfer data internationally. Jurisdiction-specific requirements vary — see our law comparison guides for detailed breakdowns.
When Things Go Wrong
A processor breach triggers obligations on both sides. Processors must notify you without undue delay; you must assess and potentially notify the supervisory authority within 72 hours.
Your DPA should define what constitutes a reportable incident, communication channels, required information (nature of breach, data categories, approximate number of subjects, measures taken), and cooperation obligations.
Review enforcement cases involving processor breaches to understand how regulators evaluate DPA compliance in practice.
The Bottom Line
DPAs are foundational to GDPR compliance, yet frequently treated as a checkbox exercise. The organizations that manage them well treat DPAs as living documents that reflect actual data flows, are reviewed regularly, and are backed by evidence of ongoing oversight.
Start with your data inventory. Know who processes your data, where, and under what terms. Then build a systematic review process that catches gaps before regulators do.