What is Data Processing Agreement?

    Updated: 11 March 2026

    A data processing agreement (DPA) is a legally mandated contract between a data controller (the organisation that determines why and how personal data is processed) and a data processor (the party that processes personal data on the controller's behalf). The General Data Protection Regulation (GDPR) requires this agreement to be in place in writing before processing begins. Outsourcing data processing without a DPA is a direct GDPR violation.

    How does data processing agreement work?

    The data processing agreement is governed by Article 28 of the GDPR. Whenever you engage an external party that processes personal data on your organisation's behalf, such as a payroll provider, cloud hosting service, email marketing platform, or IT managed services provider, you are legally required to have a DPA in place.

    The agreement must cover at minimum: the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the rights and obligations of the controller. Additionally, it includes provisions on security measures, confidentiality, use of sub-processors, data breach notification obligations, and the return or destruction of data upon termination.

    In practice, many SaaS providers offer a standard DPA as an appendix to their terms of service. Always verify that the standard document fits your specific situation: what data are you processing, does it include special category data (health records, national identification numbers), and where is the data stored?

    For the healthcare sector, additional requirements apply: medical personal data constitutes special category data subject to stricter security requirements. The DPA must explicitly address the nature of this data and the additional safeguards the processor implements.

    A common oversight is sub-processors. If your processor engages a third party (for example, a hosting provider), this must be addressed in the DPA including an approval procedure for changes to sub-processors.

    Why does this matter for SMBs?

    Data protection authorities can impose fines of up to 10 million euros or 2% of global annual turnover for the absence of a data processing agreement. But the financial risk is not the only concern: without a DPA, you lack the contractual basis for security requirements, data breach notification obligations, and the return of data upon termination.

    For SMBs in healthcare and IT, this is particularly relevant: they often process sensitive data through multiple external parties. A missing DPA at any link in the chain makes the entire processing chain vulnerable.

    How to manage this correctly

    • 1Inventory all external parties that process personal data on your behalf and verify that a DPA is in place for each
    • 2Use the provider's standard DPA as a starting point but verify it covers your specific processing activities
    • 3Document which sub-processors the processor uses and require an approval procedure for any changes
    • 4Review DPAs annually for currency, especially when the scope of services or data storage locations change
    • 5Store DPAs alongside the main contract in your contract management system for audit readiness

    Sources

    Manage all your contract deadlines automatically

    Tracking Contracts alerts you well ahead of every notice deadline. No spreadsheets, no missed renewals.

    Start free month

    Related terms

    NDA (Non-Disclosure Agreement)

    A non-disclosure agreement (NDA), also called a confidentiality agreement, is a contract in which on…

    Contract types

    Audit Right

    An audit right gives the buyer the contractual entitlement to verify a supplier's books, processes,…

    Contract management

    Cyber Insurance

    Cyber insurance covers financial losses a business suffers as a result of a cyber incident, such as…

    Liability & law