Under the GDPR, if you share personal data with a vendor who processes it on your behalf, you are legally required to have a data processing agreement (DPA) in place. Signing a DPA without reading it carefully can create significant regulatory exposure — because under GDPR, as the data controller, you remain responsible for what happens to that data even after you hand it over.
What is a Data Processing Agreement?
A data processing agreement (DPA) is a contract between a data controller (the business that decides why data is processed) and a data processor (the vendor who processes data on the controller's instructions). Article 28 of the GDPR sets out mandatory content that every DPA must include: the subject matter, duration, nature, and purpose of processing; the type of personal data and categories of data subjects; and the obligations and rights of the controller. Without a compliant DPA, both parties risk regulatory enforcement by national supervisory authorities.
Red flags to watch for
Article 28 requires the DPA to specify the types of personal data. A generic reference to "personal data" is insufficient and makes it harder to demonstrate compliance to a regulator.
A processor processing data beyond your documented instructions becomes a controller for that additional processing — which is a GDPR violation for both of you. Any clause allowing vendor own-use of your customer data is a red flag.
Article 33 requires processors to notify controllers of data breaches without undue delay (typically within 72 hours). A DPA that permits longer notification periods may impede your ability to meet your regulatory notification obligations.
You should have the right to object to new subprocessors before they process your data. Post-engagement notification does not allow you to prevent a subprocessor you consider unsuitable.
If the processor or any subprocessor is outside the EEA, the DPA must reference the transfer mechanism (Standard Contractual Clauses, adequacy decision, or BCRs). Absence of this is a compliance gap.
Your legal rights
As a data controller, you are responsible under GDPR for ensuring your processors provide sufficient guarantees of compliance. Signing an inadequate DPA is itself a GDPR infringement. Under GDPR Article 82, you can be held jointly and severally liable with a processor for damage caused to data subjects. National supervisory authorities can fine data controllers up to 4% of global annual turnover for data processing violations. Processors can also be fined directly. The UK's UK GDPR (post-Brexit) imposes equivalent requirements through the Data Protection Act 2018.
Questions to ask before you sign
- 1Does the DPA specifically identify the categories of personal data being processed and for what purpose?
- 2Is the processor prohibited from using your data for its own purposes?
- 3What is the processor's breach notification timeline and process?
- 4How are new subprocessors approved and what is the objection process?
- 5If data is transferred outside the EEA, which transfer mechanism is used?
Disclaimer: This guide is for educational purposes only and does not constitute legal advice. Contract law varies by jurisdiction and individual circumstances. Always consult a qualified legal professional before making decisions based on this information.