Agnes checks data processing agreements with a checklist next to a stack of supplier folders

Data Processing Agreement (DPA): What Must Be in It and How to Close One

GDPR

You probably need more DPAs than you think

Imagine you send a monthly newsletter through Mailchimp. Your customer data (name, email address, click behavior) sits on Mailchimp's servers. That means Mailchimp processes personal data on your behalf. And for that, you need a Data Processing Agreement (DPA).

It's not just your email tool. Your HR software, accounting system, cloud storage, CRM: anywhere an external party accesses or stores personal data, a Data Processing Agreement is required.

Yet many SMBs are missing a large portion of these agreements. Not out of unwillingness, but because it's unclear what needs to go in them and how to set them up. Before you draft a Data Processing Agreement, you'll want to know exactly what GDPR Article 28 requires. Below you'll find exactly what a DPA must contain, how to request one, and what to do when a supplier pushes back.

What is a Data Processing Agreement and when do you need one?

A Data Processing Agreement is a contract between you (the data controller) and a party that processes personal data on your behalf (the data processor). The GDPR requires this under Article 28.

The key question: does another party process personal data on your instructions? Then a Data Processing Agreement is mandatory.

Examples where you need a DPA:

  • Email marketing (Mailchimp, ActiveCampaign), because they store your mailing list
  • HR software (Personio, AFAS), which contains employee data
  • Accounting software (Exact, Moneybird) with customer details and invoice data
  • Cloud storage (Google Workspace, Microsoft 365) where documents containing personal data are stored
  • CRM systems (HubSpot, Salesforce) with customer information
  • Hosting providers, if they have access to data on your servers

A common mistake: thinking you don't need a DPA because you "only share a little data." The GDPR makes no distinction based on volume. A single email address already counts as personal data.

When are you the data controller?

You are the data controller when you determine why and how personal data is processed. The processor carries out that processing according to your instructions. Why does that matter? Because it determines who should initiate the DPA.

A few examples:

| Situation | Your role | Role of the other party | |---|---|---| | You use Mailchimp for your newsletter | Data controller | Data processor | | Your accountant handles your payroll | Data controller | Data processor | | Your client sends you personal data to process | Data processor | Data controller |

Note: sometimes a party is not a processor but an independent data controller. Think of a lawyer who independently decides how case files are handled. In that case, a Data Processing Agreement isn't needed, but a data sharing agreement may be.

The 7 things every DPA must include (GDPR Article 28)

Article 28 of the GDPR describes what must be included in a Data Processing Agreement at minimum. These are the mandatory elements, in plain language.

1. The subject and duration of the processing What is being processed and for how long? For example: "Processing of email addresses for sending newsletters, for the duration of the agreement."

2. The nature and purpose of the processing Why is the data being processed? Be specific. "Marketing purposes" is too vague. "Sending personalized email campaigns" is better.

3. The type of personal data Which categories of data are being processed? Names, email addresses, IP addresses, financial data, health data, for example.

4. The categories of data subjects Whose data is it? Customers, employees, website visitors, job applicants?

5. The rights and obligations of the data controller What can you expect and what are your responsibilities?

6. Technical and organizational security measures How does the processor protect the data? Encryption, access controls, backup procedures. This doesn't need to be a novel, but "we do our best" won't cut it.

7. Rules for sub-processors Does the processor engage other parties in turn? Then the agreement must cover that. More on this below.

How do you request a DPA from a supplier?

With large SaaS providers (Google, Microsoft, Mailchimp), requesting a DPA is easier than you might expect. They have standard Data Processing Agreements available. You'll usually find them:

  • In your account dashboard under "Privacy" or "Legal"
  • On their website under "DPA" or "Data Processing Agreement"
  • Through customer support or your account manager

With smaller suppliers, it's a matter of sending an email: "We're currently getting our GDPR documentation in order. Could you provide us with a Data Processing Agreement?"

Tip: keep a standard email template for DPA requests. That way it takes you five minutes per supplier instead of half an hour.

Want to track per supplier which DPAs you already have and which are still missing? In ComplianceHive, you link Data Processing Agreements directly to your suppliers, so you can see at a glance where the gaps are. Explore the options.

What if a supplier won't sign a DPA?

This happens more often than you'd like. A supplier who says "that's not necessary for us" or "we don't process personal data," while they clearly have access to customer data.

Your options:

  1. Explain in writing why it is necessary. Refer to GDPR Article 28. Many suppliers genuinely don't realize they qualify as a processor.

  2. Ask for an alternative. Some suppliers have their own DPA that they don't actively offer. A direct question sometimes produces a document after all.

  3. Document the refusal. If a supplier refuses, record that. It's relevant if the Data Protection Authority ever asks why you don't have a DPA with that party.

  4. Consider a different supplier. A party that refuses to sign a Data Processing Agreement is a risk. Legally, but also as a signal about how they handle data protection.

What to watch for in a DPA you do receive:

  • Vague or missing information about where data is stored
  • No provisions for what happens in case of a data breach
  • No audit rights for you as the data controller
  • No mention of sub-processors
  • Clauses that give the processor the right to use data for their own purposes

See any of these? Go back to the supplier. A DPA with gaps offers a false sense of security.

Keeping track of DPAs: how do you do it in practice?

Closing a Data Processing Agreement is step one. But during an audit, the Data Protection Authority will want to see that you have an overview: which suppliers process data, which DPAs are in place, and when were they last reviewed?

Many companies start with a spreadsheet. That works until you have fifteen suppliers and three colleagues all maintaining a different version.

What you should record per supplier at minimum:

  • Name of the supplier
  • Which personal data they process
  • Whether a DPA is in place (yes/no)
  • Date of the DPA
  • Which sub-processors they use
  • When you last reviewed the DPA

This register isn't a formality. It's the first thing auditors ask for.

In ComplianceHive, you store Data Processing Agreements as a document linked to the relevant supplier. That way you keep an overview without it turning into a mess of loose files.

Checklist: is your DPA complete?

Use this checklist to assess existing and new Data Processing Agreements:

  • [ ] Subject and duration of the processing are described
  • [ ] Purpose of the processing is specifically defined (not "various purposes")
  • [ ] Type of personal data is specified (names, emails, IP addresses, etc.)
  • [ ] Categories of data subjects are listed (customers, employees, etc.)
  • [ ] Security measures are described in concrete terms
  • [ ] Data breach procedure is included (notification within 72 hours, as required by GDPR Article 33)
  • [ ] Sub-processors are named or a consent procedure is in place
  • [ ] Audit rights are included
  • [ ] Deletion or return of data after termination is arranged
  • [ ] The DPA is signed by both parties

Missing items? Contact your supplier to supplement the DPA. An incomplete Data Processing Agreement is almost as risky as having no agreement at all.

Start your DPA overview today

You don't need to be a lawyer to get your Data Processing Agreements in order. Make a list of all your suppliers that process personal data. Check per supplier whether you have a DPA. Test existing DPAs against the checklist above. Address the gaps one by one.

An afternoon's work. After that, audits get a lot less stressful.

Store all your Data Processing Agreements in ComplianceHive and immediately track which suppliers are still missing a DPA. A clear starting point for your supplier documentation. Start for free.

Start gaining control over your vendors and software today

Let ComplianceHive help you with ISO 27001, GDPR, vendor management, and more. No hassle, no spreadsheets, just clarity. Start now with a free 1-month trial. No credit card required, no hidden fees. Discover the Busy Hive plan and manage up to 25 tools and vendors in one overview.

Try 1 month for free