A GDPR data processing agreement is the written contract required whenever a controller entrusts personal data to a processor, and it is one of the most scrutinised documents under the EU General Data Protection Regulation (EU Regulation 2016/679), applicable since 25 May 2018. Without it, both parties expose themselves to enforcement action, and the arrangement itself may be unlawful. This guide explains what the agreement is, who needs one, what it must contain, and how to keep it defensible.
This article is general guidance only and is not legal advice.
What is a GDPR data processing agreement?
A GDPR data processing agreement (often abbreviated DPA) is a legally binding contract that governs how a processor handles personal data on behalf of a controller. The controller decides the purposes and means of processing; the processor acts only on the controller’s documented instructions. The agreement sets the boundaries of that relationship and allocates responsibility for GDPR obligations.
The GDPR requires this contract wherever processing is carried out by a processor rather than by the controller directly. It is not optional paperwork, it is a condition of engaging any third party that touches personal data on your behalf.
Controller versus processor
Getting the roles right is the starting point. Misclassifying a party undermines the whole agreement.
| Aspect | Controller | Processor |
|---|---|---|
| Decides purpose and means | Yes | No |
| Acts on documented instructions | Sets them | Follows them |
| Primary accountability to data subjects | Yes | Supports the controller |
| Typical example | A business collecting customer data | A cloud host or payroll bureau |
A single organisation can be a controller for some activities and a processor for others, so assess each data flow on its own facts.
When do you need a GDPR data processing agreement?
You need one whenever a processor handles personal data for you. Common triggers include cloud hosting and storage, SaaS platforms, email and marketing tools, payroll and HR providers, IT support with data access, analytics vendors, and any outsourced service that processes identifiable information.
If a supplier only receives anonymised data, or determines its own purposes (making it a separate controller), the analysis differs. When in doubt, map the data flow before signing.
What must a GDPR data processing agreement contain?
The GDPR prescribes the core content of the contract. While exact drafting varies, a compliant agreement must address each of the elements below.
| Required element | What it covers |
|---|---|
| Subject matter and duration | Nature, scope, and length of the processing. |
| Nature and purpose | Why the data is processed and what operations are performed. |
| Type of data and data subjects | Categories of personal data and the individuals involved. |
| Documented instructions | Processor acts only on the controller’s written instructions. |
| Confidentiality | Persons authorised to process data are bound to confidentiality. |
| Security measures | Appropriate technical and organisational measures. |
| Sub-processors | Rules on engaging sub-processors and passing down obligations. |
| Assisting the controller | Help with data subject rights, security, breaches, and DPIAs. |
| Return or deletion | What happens to data at the end of the service. |
| Audits and information | Making available the information needed to demonstrate compliance. |
Instructions, security, and breach support
Three obligations tend to attract the most attention in practice. The processor must act only on documented instructions, must implement appropriate technical and organisational security measures, and must support the controller’s duties, including breach handling. Under the GDPR the supervisory authority must generally be notified of a personal data breach without undue delay and, where feasible, within 72 hours, so the processor’s duty to alert the controller promptly is critical.
Sub-processors and international transfers
The agreement should specify whether sub-processors are permitted, how the controller is informed of changes, and that sub-processors are bound by equivalent obligations. Where personal data leaves the EU or EEA, the contract must reflect a valid transfer mechanism, because the underlying GDPR transfer rules continue to apply regardless of the commercial deal.
How the agreement supports wider GDPR compliance
A GDPR data processing agreement does not stand alone. It plugs into the regulation’s broader framework: the core principles (lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability), the six lawful bases for processing, and data subject rights such as access, rectification, erasure, restriction, portability, and objection.
The contract is also evidence of accountability. Alongside your records of processing and, where required, DPIAs and the appointment of a data protection officer, it helps demonstrate that responsibilities are allocated and controlled. Non-compliance carries real consequences: fines can reach up to 20 million euro or 4% of global annual turnover, whichever is higher.
Practical drafting and review tips
- Map each data flow and confirm the controller and processor roles before drafting.
- Keep an up-to-date list of processors and their sub-processors.
- Ensure security measures are specific enough to be meaningful, not just boilerplate.
- Align retention and deletion terms with your own storage limitation policy.
- Review agreements when services, vendors, or transfer routes change.
- Check the official regulation text via the GDPR full text at gdpr-info.eu when interpreting specific obligations.
Frequently asked questions
Is a GDPR data processing agreement legally mandatory?
Yes. Where a processor handles personal data on a controller’s behalf, the GDPR requires a binding contract or other legal act. Proceeding without one can render the processing unlawful and expose both parties to enforcement.
Who is responsible for putting the agreement in place?
The controller is ultimately accountable for ensuring a compliant agreement exists, but both parties sign it and share defined obligations. Processors often provide a standard template, which the controller should still review carefully.
What happens if there is no agreement in place?
The arrangement may breach the GDPR, weaken your accountability position, and complicate breach response. Supervisory authorities can take action, and fines can reach up to 20 million euro or 4% of global annual turnover, whichever is higher.
Does the agreement cover international data transfers?
It should reference them. If personal data is transferred outside the EU or EEA, the contract must reflect a valid transfer mechanism, because the GDPR’s transfer safeguards apply independently of the commercial terms.

Related guides
- Complete GDPR compliance guide for organisations
- GDPR requirements checklist to assess your readiness
- Understanding GDPR data subject rights and how to respond
Our editable GDPR (EU Regulation 2016/679) toolkit includes a ready-to-use data processing agreement template plus supporting policies, records, and procedures you can tailor in minutes. Get the GDPR Toolkit and put a defensible agreement in place today.

