Two common mistakes in data processing agreements

View as Markdown
1 min read • Simon • GDPR • 30 October 2025
  1. 1. The agreement lacks clear instructions
  2. 2. Sub-processors are handled incorrectly

A data processing agreement is not merely a formal appendix to a contract – it is an explicit requirement under Article 28 GDPR and a central element in demonstrating that personal data are processed lawfully. Nonetheless, reviews frequently show that such agreements are carelessly drafted, incomplete or plainly incorrect, which can render the processing non-compliant with the GDPR and expose both parties to sanctions. Below, we outline two common mistakes organisations should avoid – issues that can be remedied with a well-structured agreement.

1. The agreement lacks clear instructions

A core principle of the GDPR is that the processor may process personal data only in accordance with documented instructions from the controller. If the agreement is broadly worded or lacks clear instructions regarding purpose, categories of data and security measures, the processor risks acting outside its mandate. This may result in the processor being deemed a separate controller for part of the processing – with full legal responsibility and exposure to sanctions. To avoid this, the agreement should set out in detail which data may be processed, for what purposes, and the applicable security requirements. It is also prudent to capture this in an annex that can be updated easily as the processing evolves, rather than having to renegotiate the entire agreement.

2. Sub-processors are handled incorrectly

Sub-processors are another common pitfall. The GDPR requires that a processor must not engage a sub-processor without the controller’s prior specific or general authorisation. Yet many agreements lack a clear process for approving new sub-processors, the conditions that apply, and how changes are communicated. Without clear rules, an organisation risks losing control over where and how personal data are processed, especially if sub-processors are established outside the EU/EEA. A sound agreement should therefore require the processor to provide timely notice of any intention to appoint new sub-processors and allow the controller to object. In addition, the agreement must ensure that transfers to third countries comply with Chapter V GDPR, for example by using Standard Contractual Clauses or other permitted mechanisms.

At Morling Consulting, our experienced data protection lawyers help identify and remedy common weaknesses in data processing agreements. We ensure that responsibilities and instructions are clearly regulated so that the processing the processor is to perform – and permitted to perform – is properly documented.

AML compliance officer reviewing customer due diligence, risk assessment and monitoring alerts, with compliance checklist and legal shield icon.

22 January 2026

Role and responsibilities of the AML specialist – a compliance perspective
Read more
Illustration of a legal professional at a desk with a digital interface showing structured regulatory compliance, internal controls, and AML processes for financial institutions.

21 January 2026

Exemptions for financial activities, prior notification and internal controls under the AMLR
Read more
Lawyer consulting a client at a desk, discussing legal advice and compliance documents, with contract approval icons on screen.

20 January 2026

When to ask a lawyer for faster answers at lower cost
Read more