Latest Insights/Back to Generator
PUBLISHED ON 2026-02-13

Data Processing Agreements (DPA): A Complete GDPR Compliance Guide

If your business shares personal data with any third party — a cloud hosting provider, an email marketing platform, a payment processor — you are legally required under GDPR Article 28 to have a Data Processing Agreement (DPA) in place. Failure to do so can result in fines of up to €20 million or 4% of your global annual revenue.

What Is a Data Processing Agreement?

A DPA is a legally binding contract between a data controller (the organization that determines why and how personal data is processed) and a data processor (the third party that processes data on the controller's behalf). It ensures that the processor handles personal data in accordance with GDPR requirements.

When Do You Need a DPA?

You need a DPA whenever you share personal data with an external service provider. Common examples include:

  • Cloud services: AWS, Google Cloud, Azure — where customer data is stored.
  • Email marketing: Mailchimp, SendGrid — where subscriber email addresses are processed.
  • Payment processing: Stripe, PayPal — where customer financial data is handled.
  • Analytics: Google Analytics — where user behavior data is collected.
  • Customer support: Zendesk, Intercom — where customer personal data is accessed.
  • HR software: BambooHR, Workday — where employee personal data is managed.

Mandatory Clauses Under GDPR Article 28

The GDPR specifies exactly what a DPA must contain:

1. Subject Matter and Duration

Describe what data will be processed, the purpose of processing, and how long the processing will last. Be specific — courts look for clarity in these definitions.

2. Nature and Purpose of Processing

Explain what the processor will do with the data and why. For example: "The processor will store and transmit customer email addresses for the purpose of sending marketing newsletters."

3. Types of Personal Data

List the categories of data being processed: names, email addresses, IP addresses, financial information, health data, etc. The more sensitive the data, the stricter the security requirements.

4. Security Measures

The processor must implement appropriate technical and organizational measures to protect data: encryption, access controls, regular security audits, incident response procedures, and employee training.

5. Sub-processors

If the processor uses sub-processors (e.g., a cloud provider using another cloud provider), they must obtain the controller's written authorization and ensure sub-processors are bound by equivalent protections.

6. Data Subject Rights

The processor must assist the controller in responding to data subject requests: access, rectification, erasure, portability, and objection. The DPA should specify the process and timeline for this assistance.

7. Breach Notification

The processor must notify the controller of any data breach "without undue delay" — typically within 24–48 hours. The notification must include the nature of the breach, categories of data affected, and measures taken to mitigate damage.

8. Data Deletion

Upon termination of the agreement, the processor must delete or return all personal data and certify the deletion in writing.

Create Your DPA

Don't risk GDPR non-compliance. Use our Free DPA Generator to create a GDPR-compliant Data Processing Agreement tailored to your business in minutes.