Back to blog

Data processing agreement: 7 elements every DPA should have

Data privacy & security GDPR

Written by

Published August 9, 2018 · Updated March 17, 2021

Data processing agreement: 7 elements every DPA should have

You can also download this post as a printable checklist! Use it to check if your DPA meets the strict requirements of GDPR.

If you want to know how to construct a lawful data processing agreement, you’re in the right place. In this blog post we’ll walk you through all the important elements of a DPA under GDPR.

GDPR imposes many obligations on companies wanting to collect and use personal data about their clients (we have tackled them in numerous posts on our blog, be sure to check them out). One of the most important obligations is signing DPAs with every other entity that has access to this data.

In case the term doesn’t ring a bell – a data processing agreement (DPA) or commissioned data processing clause is a legally binding document signed between two key data processing actors under GDPR – the controller and the processor.

It regulates the particularities of data processing, such as its scope and purpose, as well as the relationship between those actors. In addition, it assigns certain obligations that are required by the Regulation.

When do you need a DPA?

Whenever a data processor carries out any processing on behalf of a data controller (that would be the case with CRMs, CDPs, analytics, and many other types of tools designed to analyze user behavior) you need to have a written contract in place.

The contract is important so that both parties understand their role in handling users’ personal data as well as obligations arising from it. It ensures that the chain of responsibility is clear to each participant in the process.

Read our exhaustive guide on collecting, managing, and storing user consents, plus learn the ways GDPR Consent Manager can help you remain privacy compliant

Download FREE Guide

This isn’t really anything new, since signing this kind of document is required by many other data privacy regulations, including the British Data Protection Act and the predecessor to GDPR – Data Protection Directive 95/46/EC.

However, under GDPR, the contract requirements are broader and are no longer confined to just ensuring the security of personal data. They also aim to demonstrate that each party observes the particulars of the regulation.

According to the UK Information Commissioner’s Office:


Contracts between controllers and processors ensure that they both understand their obligations, responsibilities and liabilities. They help them to comply with the GDPR, and help controllers to demonstrate their compliance with the GDPR. The use of contracts by controllers and processors may also increase data subjects’ confidence in the handling of their personal data.

Does a DPA have to be a separate document?

As you can see, this is a significant change in what is required by law, but in practice you already may have included many of those requirements in your existing contracts as good data privacy practices.

For that reason, many companies decide to insert a DPA into existing contracts with their partners. Afterall, there’s no legal restriction stipulating that a DPA can’t be a part of a regular contract between the processor and the controller.

However, considering the complexity of the task, it’s advisable to create a separate document or annex to the main contract.

What should be included in a DPA?

GDPR, although its provisions are quite general, provides some guidance on how a DPA should be constructed.

Based on the regulation’s text as well as our own experience and expertise, we’ve prepared a list of elements every data processing agreement should have. So, without further ado, let’s review the essential parts of a GDPR-compliant DPA.

This guide aims to provide you with some useful tips on constructing a proper DPA. However, in this case there’s no one-size-fits-all solution. When creating your own version of this document, you should also take into consideration your sectoral regulations and other specific needs of your business.

Typically, the more restrictions your industry has, the more responsibilities will be placed on both the controller and processor.

General clauses

In this part of the contract – like in virtually every other type of contract – you specify the definitions of terms used later on in the document. Among other things, you should define:

  • The object of the agreement – typically that would be all activities related to the contractual relationship between partners.
  • The scope, nature, and duration of data processing – the ways personal data is used for (for instance, to analyze user behavior on your website or to personalize user experience) and the party responsible for ensuring that the processed data meets the requirements of GDPR (that liability should rest with the controller).
  • The subjects of data processing – in this part you should define whether the data subjects are children, banking clients, patients, or simply website visitors (or maybe they fall into each of these categories).
  • Type of data you want to process – the categories of data that will be handled using the means of the data processor – for instance, technical characteristics of the browser, behavioral data on website activities, IP addresses, and more. In this point it’s also important to mention that the controller should inform the data processor if the data imported into the system meets the definition of a special data category.

    This is because such information should be processed in a more restricted fashion than regular types of personal data.

    If you want to read more about the categories of personal data, you should read this blog post:
    What Is PII, non-PII, and Personal Data?

  • Data storage – Although GDPR itself doesn’t forbid companies from storing users’ personal data outside the EU, it establishes certain restrictions related to the transfer of data beyond EU borders (see: Chapter 5). That’s why it’s worth including language stating that the data processor has no right to keep controlled data outside of Europe without prior consent.

    If data will be kept abroad, it’s important to describe the steps the data processor has to undertake to ensure a level of security equal to that cultivated within the EU. For instance, regarding data held in the United States, it will be a good idea to follow the Privacy Shield framework (however, this may change because of the most recent controversies surrounding it). Considering the number of details that will need to be addressed, it’s worth including this part in a separate clause or even an annex to the contract.

Update: As of July 16th 2020, Privacy Shield is no longer a valid legal framework for transferring data from the EU and Switzerland to the US. The situation is evolving fast, though. Here we’ve written about the decision and will provide updates when anything changes. And here we’ve written about how such limitations affect users of Google Analytics.

  • Term of the contract and conditions of contract termination – Here you should include information that all data regarding the controller’s clients should be removed from the processor’s databases after the termination of the contract and enumerate cases in which each party has a right to terminate the agreement (for instance, failing to inform the controller of a data breach or unauthorized changes to data processing procedures.)

Read our exhaustive guide on collecting, managing, and storing user consents, plus learn the ways GDPR Consent Manager can help you remain privacy compliant

Download FREE Guide

Rights and responsibilities of data controllers

In the next part, you should address the duties of the data controller. Here’s some information you really need to include:

  • Under GDPR, the controller is the entity responsible for establishing a lawful data process and observing the rights of data subjects (including collecting data subject consents and requests).
  • The controller is also responsible for issuing instructions about data processing (including appointing employees to serve as point of contact). It means that the data processor should handle the data exclusively in the manner demanded by the controller.
  • However, if the data processor believes that the instructions issued by the data controller violate the provisions of GDPR, they have to immediately inform the data controller about their concerns.

To learn more about what GDPR has to say about the role of the data controller, here’s a little something to read from Article 24.

Responsibilities of data processors

Next it’s time to establish the duties of data processors.

Articles 28-36 of GDPR set out their responsibilities that must be addressed in the data processing agreement. Among other things, the data processor:

  • must have adequate information security in place
  • shouldn’t engage sub-processors without the prior consent of the controller
  • must cooperate with the authorities in the event of an enquiry
  • must report data breaches to the controller as soon as they become aware of them, without undue delay
  • may need to appoint a mandatory data protection officer
  • must give the data controller the opportunity to carry out audits examining their GDPR compliance
  • must keep records of all processing activities
  • must comply with EU transborder data transfer rules (if necessary)
  • must help the controller to comply with data subjects’ rights (including the processing of data subject requests)
  • must assist the data controller in managing the consequences of data breaches
  • must delete or return all personal data at the end of the contract at the choice of the controller, and
  • must inform the controller if the processing instructions infringe GDPR
It’s worth making sure that the text of a DPA doesn’t leave any room for misinterpretation. For example:

  • It’s important to establish the time limits in which the data processor must process data subject requests as well as within which the data processor has to inform the data controller about a data breach.
  • If a data protection officer has been designated, it’s also worth providing their contact details.
  • And if it is stipulated that the data controller has the right to audit the data processor, it should be specified how often this can be done and who will cover the costs of the procedure.

That way you make sure that there are no weak links and the data processor knows exactly what is expected of them.

As in every other case, the provisions of this part of the contract should be adjusted to the specific needs of the organization and industry-relevant requirements.

If you want to study the data processor’s responsibilities in more detail, you should visit this page.

Technical and organizational measures

After that, it’s time to delve deeper into the technical requirements the data processor has to meet in order to satisfy the provisions of GDPR. According to Article 32 of the Regulation:

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  • the pseudonymisation and encryption of personal data
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing

In this part of the contract it’s worth including information that the data processor should implement necessary all technical and organizational measures before starting to process users’ personal data.

After all, one of the most important roles of a DPA is ensuring that processors provide sufficient guarantees for the protection of the data transferred to them. Especially since, if a data breach happens – even one on the data processor’s side – it’s the controller who might be held liable.

Due to the complexity of these measures, it’s advisable to include them in a separate annex to the contract (see: Annex 1).

Sub-contractual relationships

This section aims to shed some more light on the relationship between the primary data processor and sub-processors. It’s worth including the following information in your agreements:

  • The data processor must obtain the written consent of the data controller to establish any kind of relationship with sub-processors.
  • The contract between the processor and sub-processor should ensure a level of data protection comparable to that provided by a DPA.
  • The data controller should be responsible for verifying sub-processors’ compliance on a regular basis (for instance, at least once every 12 months).

Also, it is a good practice to list the sub-processors in a separate annex to the contract (its content is discussed in the section called Annex 2).

Final clauses

This is a standard part of every contract. As always, we should mention there that any changes to the contract must be accepted by both parties. However, in the case of a DPA, it’s worth noting here that such a document supersedes all other agreements between the data processor and data controller.

This will leave no room for misinterpretation in case the provisions of other agreements conflict with the requirements of the DPA.

Read our exhaustive guide on collecting, managing, and storing user consents, plus learn the ways GDPR Consent Manager can help you remain privacy compliant

Download FREE Guide


The DPA would not be complete without the aforementioned annexes. They complement and elaborate contractual arrangements previously agreed. Here’s what you should include in both of them:

Annex 1 – Technical and organizational measures

This annex is complementary to the points of a DPA concerning technical and organizational measures. In this part of the agreement the data processor should prove their ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services as well as establish a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing (both quotes are excerpts from Article 32 GDPR).

Below is a list of areas crucial for compliance with the demands of the new law:


This is the point where the data processor should prove their efforts to ensure the full security of the controller’s data. Among other things, they should describe:

  • the structure of the data center where they plan to store personal data
  • information security control protocols
  • physical access to the office and applied security measures
  • remote access to the office
  • access control for applications (software)

This part addresses issues of electronic transmission of input control. The data processor should prove that personal data can’t be read, copied, altered, or removed by any unauthorized party during data transfers.

Availability & resilience

In this section of the annex the processor should present their backup policies, as well as measures used to ensure data redundancy, recoverability, and high availability.

Procedures of periodic review

Here the data processor should detail a framework for periodic evaluation of technical and organizational measures presented in the previous parts of the annex.

Annex 2 – List of sub-processors

Nothing difficult here – this list should include all data sub-processors, as well as the addresses of their seats.

Data processing agreement under GDPR – some conclusions

We hope that this blog post gives you a decent idea of what a data processing agreement should look like. However, we know this is a complex issue and you might still have some unanswered questions.

If so, be sure to check out some additional sources of information about drafting a DPA, including this extremely informative guide provided by the UK Information Commissioner’s Office. Also, feel free to reach out to us anytime! Our team will be happy to help you out.


Karolina Lubowicka

Content Marketer

Content Marketer and Social Media Specialist at Piwik PRO. An experienced copywriter who takes complex topics of data privacy & GDPR and makes them understandable for all. LinkedIn Profile

See more posts by this author

Core – a new plan for Piwik PRO Analytics Suite

Privacy-compliant analytics, built-in consent management and EU hosting. For free.

Sign up for free

New Call-to-action