Everything you need to know about a Data Processing Agreement
Updated: August 2025
Handling personal data means following regulations like the GDPR. If you use third-party services to process that data, a Data Processing Agreement (DPA) is a legally required document. This guide answers common questions about what a DPA is, when you need one, and what key elements to look for.
Key Takeaways
• A Data Processing Agreement (DPA) is a legally required contract under the GDPR. It must be in place whenever a data controller outsources the processing of personal data to a third party.
• Responsibility for data protection extends down the supply chain. A controller needs a DPA with its processor, and that processor must have a DPA with any sub-processors it uses.
• The data controller remains liable for data protection, even if a breach occurs on the processor’s side. The DPA must limit the processor to only use data for the specific purposes outlined in the contract.
What is a DPA?
A data processing agreement (DPA) is a legally binding document to be entered into between the controller and the processor in writing or in electronic form. It regulates the particularities of data processing, such as its scope and purpose, as well as the relationship between the controller and the processor.
Why is a DPA important?
The GDPR requires data controllers to take measures to ensure the protection of personal data they handle. If data controllers decide to outsource certain data processing activities, they must be able to demonstrate that their suppliers and sub-processors also provide sufficient guarantees to protect the data and act in a GDPR compliant manner.
When do you need to sign a DPA?
If you are a controller and, as a result of outsourcing, you wish to transfer your data to a third party, for example, a cloud provider, you need to sign a DPA with that third party.
Do processors have to sign a DPA with their sub-processors?
Yes, even if you are not a controller, but a processor, and decide to outsource your activities, you’ll need to sign a DPA and ensure that any other sub-processor in the chain complies with the requirements of the GDPR.
What is data processing?
The GDPR regulates data processing in a broad manner. It says that any operation performed on personal data amounts to processing. For example, the acts of collecting, storing, disclosing or erasing personal data are all considered processing and fall under the GDPR.
Who is a data controller?
The data controller is the person who determines the purpose and means of the data processing.
Who is a data processor?
The person who processes data on behalf of a controller, in accordance with the controller’s instructions.
What to watch out for when signing a DPA?
One of the most important elements of a DPA is whether your processors provide sufficient guarantees for the protection of the data transferred to them. Under the GDPR, if there is a data breach, even if it’s on the side of the processor, you, as a controller, might be held responsible. Hence, it is important to choose processors that implement sufficient measures to minimise the risk of a data breach. Furthermore, processors should also take sufficient measures to decrease the effect of a breach and to inform you in due course.
Data processors should not be able to process your data for any other purpose than what’s the purpose of your DPA and of the outsourcing. Accordingly, you should check how the processor will use the data you transfer to it; whether it is in accordance with your contract or whether the processor intends to use the data for its own purposes. Hence, you need to make sure that the scope of the processor’s DPA is not broader than the original legal basis you have for processing the personal data.
FAQs
What is the difference between a data controller and a data processor? A data controller is the entity that determines the purpose and means of data processing (the “why” and “how”). A data processor is the entity that processes data on behalf of the controller, following their instructions.
Am I still responsible if my processor has a data breach? Yes. The GDPR holds the data controller responsible for a breach, even if it happens at the processor level. This makes the selection of processors with sufficient data protection measures a high-priority task for any controller.
Do I need a DPA to use a cloud service provider like Google Drive or AWS? Yes. If you store personal data using a third-party cloud service, that provider is acting as a data processor. You, as the controller, are required to have a DPA with them that outlines how they will handle and protect the data.