Data Processing under GDPR

Data Processing Agreements under the GDPR

Whenever a third party processes personal data on behalf of a controller, Article 28 GDPR requires a Data Processing Agreement (DPA). This applies to cloud providers, SaaS tools, payroll services, marketing agencies, IT support companies, and any other service provider that handles personal data on your instructions.

Without a valid DPA in place, the data transfer to the processor is unlawful and can result in fines of up to EUR 10 million or 2% of annual global turnover. Understanding the distinction between controller and processor, and getting the DPA right, is essential for GDPR compliance.

Controller vs. Processor: The Key Distinction

The GDPR distinguishes between two roles:

• Controller (Art. 4(7)): The entity that determines the purposes and means of processing personal data. The controller bears primary responsibility for GDPR compliance.
• Processor (Art. 4(8)): The entity that processes personal data on behalf of the controller. The processor acts only on the controller's documented instructions.

A third category exists: joint controllers (Art. 26), where two or more controllers jointly determine the purposes and means of processing. In such cases, a joint controller agreement must define their respective responsibilities.

Practical tip: The classification depends on the actual circumstances, not on what the contract states. If a service provider makes its own decisions about how to process data, it may be a separate controller rather than a processor.

Mandatory DPA Contents (Art. 28(3))

Article 28(3) specifies the minimum contents that every DPA must include:

• Subject matter and duration of the processing
• Nature and purpose of the processing
• Type of personal data and categories of data subjects
• Obligations and rights of the controller
• Processing only on documented instructions from the controller
• Confidentiality obligations for personnel with access to data
• Technical and organisational measures pursuant to Art. 32
• Conditions for engaging sub-processors, including prior written authorisation
• Assistance with data subject rights requests
• Assistance with breach notification and DPIAs
• Deletion or return of data at the end of the processing relationship
• Audit rights for the controller or an appointed auditor

Sub-Processors

A processor may not engage another processor (sub-processor) without prior specific or general written authorisation of the controller. When general authorisation is given, the processor must inform the controller of any intended changes concerning the addition or replacement of sub-processors, giving the controller the opportunity to object.

The processor must impose the same data protection obligations on the sub-processor as those set out in the DPA. If the sub-processor fails to fulfil its obligations, the initial processor remains fully liable to the controller.

DPA Checklist

Use this checklist to verify your DPAs are compliant:

• DPA is in writing (including electronic form)
• Subject matter, duration, nature, and purpose are clearly defined
• Data categories and data subject categories are specified
• Processing only on documented instructions is confirmed
• Confidentiality obligations are included
• Technical and organisational measures are described (see TOMs guide)
• Sub-processor provisions with notification and objection rights
• Assistance obligations for data subject rights are defined
• Assistance with breach notification is specified (see Breach Notification)
• Data deletion or return at contract end is addressed
• Audit rights for the controller are granted
• International transfer mechanisms are in place if applicable (see International Data Transfers)

Common Pitfalls

• Using a DPA when none is needed: Not every data exchange requires a DPA. If the service provider is a separate controller (e.g. a law firm providing legal advice), a DPA is not appropriate.
• Relying on the processor's template without review: Many SaaS providers offer standard DPAs that may not fully reflect your requirements. Always review and negotiate if necessary.
• Forgetting sub-processor chains: Major cloud providers often have dozens of sub-processors. Ensure you have visibility and the right to object.
• No audit of actual compliance: Having a DPA on file is not enough. Periodically verify that your processors actually implement the agreed measures.