6 answers on the data processing agreement (DPA)
A data processing agreement (DPA) is required under the GDPR as soon as an external service provider processes personal data on your behalf. It defines responsibilities and protects against fines and loss of trust.
Table of contents
Context: Why a DPA is central
A data processing agreement (DPA) plays a central role in modern data protection. Under the GDPR, it is essential as soon as a business commissions an external service provider to process personal data.
The agreement creates clear rules for data processing and helps avoid legal consequences as well as loss of trust among customers or partners.
What is a data processing agreement (DPA)?
The DPA is an essential instrument that defines how data must be processed, stored, and protected.
Practical example: a newsletter provider for an online shop. The DPA ensures that email addresses are used only for the intended purpose.
When do I need a DPA?
Whenever an external service provider processes personal data on your behalf – even if it is “only” storage, analysis, or access.
Examples: cloud accounting software or an external CRM system that manages customer data.
What does a DPA include?
Typical contents: parties and contact details, nature and purpose of processing, rights and obligations (including data security, breach notification duties, sub-processors), return/erasure at contract end, and audit rights.
Often included: provisions on liability/compensation for violations.
Who must create the DPA?
The controller should initiate the DPA and ensure GDPR requirements are met.
Processors often provide standard templates that can be adapted. It is important that both parties understand and accept the contents.
When must the DPA be concluded?
As soon as an external service provider processes or accesses personal data on your behalf, a DPA should be in place before processing begins.
What happens without a DPA?
Without a DPA, you risk legal consequences (fines), loss of trust, unclear responsibilities, and an increased risk of insecure data exchange.
Conclusion
A DPA is the link to legal certainty when working with service providers. It clarifies responsibilities and protects against financial and reputational harm.
Author
Sebastian Schenk
Co-Founder & CEO
Lawyer and data protection officer. Drives product vision at simply Legal and ensures Dieter is sound legally and in practice.
This article reflects the position at the date of publication. We update our content when the law changes.
Related articles
Thursday, 10 July 2025
How to create a privacy policy
Every website needs a privacy policy. It fulfils the information obligations under Art. 13 GDPR and explains which data is processed for what purpose and on what legal basis.
Thursday, 11 September 2025
Technical and organisational measures
Technical and organisational measures (TOMs) are the backbone of data protection under the GDPR. They range from technical security safeguards to organisational processes and should be reviewed and adjusted regularly.
Monday, 10 November 2025
Record of processing activities (ROPA) and data deletion concept
The ROPA and a data deletion concept are central building blocks of GDPR compliance: the ROPA documents processing activities; the deletion concept ensures storage limitation and compliant data erasure.
