What is a data processing agreement?

Practical guidance on data processor agreements

What should a data processing agreement contain under the GDPR? A data processing agreement is a contract that governs the relationship between a controller and a processor for the processing the processor carries out on behalf of the controller. In English this is called a data processing agreement (often “DPA”) and is used where one party is international or the contract is written in English.

Data processing agreements are required by the General Data Protection Regulation (GDPR) and ensure that personal data is handled lawfully and securely when an organisation engages an external party to process personal data on its behalf. It is common for the data processor agreement to be attached as an appendix to a master agreement, obliging the processor to comply with its terms for the processing.

Which parties enter into a data processing agreement under the GDPR? The agreement defines the roles and responsibilities of both the controller and the processor. The controller is the organisation that determines the purposes and means of the processing of personal data, while the processor processes personal data on behalf of the controller. The agreement must contain specific instructions on processing, the security measures to be applied, and how the processor will support the controller in meeting its obligations under the GDPR.

GDPR data processor agreement templates: organisations often start from a template. We provide a data processing agreement template and ensure it is adapted to your circumstances. We also provide agreements in English, which is particularly important where there are international elements. Treat templates only as examples of a data processing agreement; every processor relationship differs and we do not recommend downloading a template online without a GDPR lawyer’s review.

Morling Consulting’s GDPR specialists provide ongoing advice on drafting, interpreting and negotiating data processing agreements. Our lawyers can help your organisation design tailored agreements that meet all legal requirements and reflect your specific operational context.

Illustration of a businessperson signing a data processing agreement that regulates personal data handling and GDPR compliance between controller and processor.

Data processing agreement: what to include

Under the GDPR the agreement must contain certain core information and terms. A data processor agreement typically sets out, for example:

  • the subject-matter of the processing,
  • the duration of the processing,
  • the nature and purpose of the processing,
  • the types of personal data processed,
  • the categories of data subjects,
  • the controller’s obligations and rights,
  • how the processor will handle requests from data subjects, and
  • how the processor will act in the event of a personal data breach.

Beyond these points, the agreement should be adapted to the organisation’s specific needs and risks. A clear, well-structured data processing agreement reduces the risk of misunderstandings and supports secure and lawful processing.

clarify responsibilities

Why are data processor agreements important?

A data processing agreement governs key safeguards for data protection and privacy when outsourcing processing. It is not only a statutory requirement under the GDPR, but also clarifies accountability and promotes responsible handling of personal data.

By clearly allocating responsibilities between the parties, the agreement helps prevent misunderstandings and potential personal data breaches; and if an incident occurs, it sets out how the processor must respond. It gives the controller control over how “its” personal data is processed by a third party. For the processor, it provides a clear operational framework, reducing the risk of inadvertent breaches of data protection law.

A well-designed data processing agreement is also a practical way to demonstrate GDPR compliance. In the event of a review by data protection authorities, a compliant agreement evidences that the organisation has taken necessary measures to ensure that personal data is processed in accordance with the GDPR. A controller may also audit the processor; the agreement then shows whether the processor has implemented the required measures.

Finally, a robust data processor agreement builds trust with customers and users. Showing that data protection is taken seriously enhances reputation and credibility, and having agreements tailored to the specific deal can also facilitate contracting with new clients.

Illustration of a signed data processing agreement document with a security shield and padlock symbolizing GDPR-compliant personal data protection.

When is a data processing agreement required?

An agreement is required when a controller engages an external party (a processor) to process personal data on its behalf. This is common when using, for example, cloud services, IT support or payroll services. The agreement regulates the processor’s handling of personal data and helps meet GDPR requirements.

When is a data processor agreement not required? No agreement is needed when:

  • the organisation processes personal data internally,
  • two parties are joint controllers (in which case a joint controllership arrangement is required), or
  • no personal data is processed, so the GDPR does not apply.

The decisive factor is whether an external party is engaged to process personal data on behalf of the controller. To determine whether a data processing agreement is needed, define the parties’ roles and the data to be processed.

How to succeed with your data processing agreement

Drafting a data processor agreement can be complex, particularly where collaborations involve many types of processing activities. A common challenge is striking the right balance between sufficient detail to meet legal requirements and sufficient flexibility to accommodate changes over time.

Another challenge is ensuring the agreement is actually implemented. It is not enough to have a contract; both the controller and the processor must actively implement the agreed measures and procedures.

To address these challenges, involve relevant stakeholders from legal and technical functions when drafting and negotiating the agreement. Regular reviews and updates are also essential to keep the agreement relevant and effective.

The significance of a data processing agreement can be summarised as follows:

  • A central component of an organisation’s data protection programme.
  • Provides structure and clarity in personal data processing.
  • Helps organisations meet legal obligations.
  • Builds trust with the wider market.
  • Positions you as a responsible organisation.

Morling Consulting not only helps to draft data processing agreements; we also provide GDPR advisory services on how best to implement and maintain compliance in practice. Contact us with your questions — we can help.

Illustration of legal professionals reviewing a data processing agreement on a digital screen to ensure GDPR-compliant data processing and privacy protection.

Common questions on data processor agreements (DPA)

A data processing agreement (often “DPA”) is a contract between a controller and a processor that governs how personal data may be processed on behalf of the controller. The GDPR requires such an agreement to protect the rights of data subjects and ensure processing complies with the regulation. Put simply, this explains what is a data processing agreement in practice.

A data processor agreement must be concluded when a controller engages an external party (the processor) to process personal data on the controller’s behalf. Typical situations include:

  • using cloud services or external IT providers,
  • engaging external providers for payroll, HR platforms or CRM systems, and
  • outsourcing customer service or support functions.

Under Article 28 of the GDPR, the agreement should, among other things:

  • specify the types of personal data and categories of data subjects,
  • describe the security measures to be applied,
  • set out the processor’s duties and instructions,
  • regulate handling of personal data breaches and data subject requests, and
  • clarify how and when data will be deleted or returned at the end of the engagement.

A data processing agreement is used when an external party processes personal data on behalf of the controller. A joint controllership arrangement is used when two parties jointly determine the purposes and means of processing, in which case they share responsibility under the GDPR.

Morling Consulting advises businesses and organisations across Europe on the GDPR and supports the drafting, review and negotiation of data processing agreements, including:

  • review and adaptation of existing agreements,
  • development of tailored agreements aligned to your operations,
  • negotiations with vendors or partners,
  • training and ongoing advisory to ensure compliance, and
  • international processor relationships and transfers outside the EU.

We have extensive experience helping organisations in diverse sectors with data processing agreements. Examples include:

  • cloud service agreements for SaaS providers: reviewing and adapting agreements to ensure both provider and customer meet GDPR requirements for cloud processing,
  • IT outsourcing: supporting negotiations, including incident management and third-country transfers,
  • international collaborations: helping businesses that work with global partners to produce DPAs that meet GDPR, and
  • audit and follow-up: legal reviews of existing agreements to identify risks and ensure the terms are implemented in practice.

Whether you need support with a single contract or an internal framework for processor relationships, our GDPR lawyers provide assured, business-focused advice.

Contact

Felix Morling

Contact us

If you prefer phone, please feel free to contact Felix Morling at +46 70 444 42 85

"*" indicates required fields