When is a data processing agreement required under the GDPR?

View as Markdown
2 mins read • Legal Writer • GDPR • 28 May 2025
  1. How to tell whether a data processing agreement is needed

A data processing agreement is not a recommendation or a “nice to have” – it is a legal requirement under the General Data Protection Regulation (GDPR) whenever personal data are processed on behalf of a controller. Without a data processing agreement, personal data may not be processed by anyone other than the controller.

A data processing agreement is always required where an external party processes personal data for the controller. Typical examples include providers of IT, HR or cloud services. The agreement must meet the formal requirements set out in Article 28 GDPR and must, among other things, set out security measures, sub-processors and instructions for the processing.

The absence of a proper agreement between the controller and the processor constitutes a breach of the GDPR and may result in administrative fines, even if the underlying processing otherwise complies with the rules.

How to tell whether a data processing agreement is needed

Whether a processor agreement is required does not depend on how the parties label their arrangement, but on the actual circumstances of how the personal data are handled. The GDPR does not distinguish between small and large companies or whether entities are within the same group – the same rules apply to all.

  • A data processing agreement is required where one party processes personal data on behalf of another, for example as part of a service or an engagement.
  • Where the party that determines the purposes and means of the processing is not the same as the party that performs the processing.
  • Where the processing party lacks independent influence over the purpose of, or the design of, the processing.

If you are unsure who is the data controller and who is the data processor, assess who determines the purposes and means; that party is the controller, and the other is the processor.

At Morling Consulting, our data protection lawyers help companies secure legally robust agreements with vendors that process personal data. We support drafting and negotiation of a controller processor agreement or controller processor contract, perform DPA review for your vendor DPA portfolio, and ensure your documentation aligns with Article 28 GDPR requirements.

Illustration of third-country risk under AMLR showing a simplified EU map, control icons, and a geographic trigger point linking the EU to third countries for enhanced customer due diligence (KYC).

10 March 2026

Third-country risks under AMLR: Articles 29–31 and their significance for customer due diligence
Read more
Illustration of an AMLR KYC process in four steps: ID verification, beneficial ownership check, business purpose assessment, and anomaly flag in registry screening.

3 March 2026

Customer due diligence under AMLR: identity, beneficial ownership and the purpose of the relationship
Read more
Illustration of a KYC block due to insufficient customer due diligence under AMLR, showing a customer profile, checklist, and stop symbol in a legal compliance setting.

24 February 2026

Inability to meet customer due diligence requirements under the AMLR
Read more