Instant downloadAuditor-writtenSecure Stripe checkout
GDPR Data Processing Agreement: Best 2026 Guide — ISO Toolkits

GDPR Data Processing Agreement: Best 2026 Guide

A GDPR data processing agreement is the written contract required whenever a controller entrusts personal data to a processor, and it is one of the most scrutinised documents under the EU General Data Protection Regulation (EU Regulation 2016/679), applicable since 25 May 2018. Without it, both parties expose themselves to enforcement action, and the arrangement itself may be unlawful. This guide explains what the agreement is, who needs one, what it must contain, and how to keep it defensible.

This article is general guidance only and is not legal advice.

What is a GDPR data processing agreement?

A GDPR data processing agreement (often abbreviated DPA) is a legally binding contract that governs how a processor handles personal data on behalf of a controller. The controller decides the purposes and means of processing; the processor acts only on the controller’s documented instructions. The agreement sets the boundaries of that relationship and allocates responsibility for GDPR obligations.

The GDPR requires this contract wherever processing is carried out by a processor rather than by the controller directly. It is not optional paperwork, it is a condition of engaging any third party that touches personal data on your behalf.

Controller versus processor

Getting the roles right is the starting point. Misclassifying a party undermines the whole agreement.

AspectControllerProcessor
Decides purpose and meansYesNo
Acts on documented instructionsSets themFollows them
Primary accountability to data subjectsYesSupports the controller
Typical exampleA business collecting customer dataA cloud host or payroll bureau

A single organisation can be a controller for some activities and a processor for others, so assess each data flow on its own facts.

When do you need a GDPR data processing agreement?

You need one whenever a processor handles personal data for you. Common triggers include cloud hosting and storage, SaaS platforms, email and marketing tools, payroll and HR providers, IT support with data access, analytics vendors, and any outsourced service that processes identifiable information.

If a supplier only receives anonymised data, or determines its own purposes (making it a separate controller), the analysis differs. When in doubt, map the data flow before signing.

What must a GDPR data processing agreement contain?

The GDPR prescribes the core content of the contract. While exact drafting varies, a compliant agreement must address each of the elements below.

Required elementWhat it covers
Subject matter and durationNature, scope, and length of the processing.
Nature and purposeWhy the data is processed and what operations are performed.
Type of data and data subjectsCategories of personal data and the individuals involved.
Documented instructionsProcessor acts only on the controller’s written instructions.
ConfidentialityPersons authorised to process data are bound to confidentiality.
Security measuresAppropriate technical and organisational measures.
Sub-processorsRules on engaging sub-processors and passing down obligations.
Assisting the controllerHelp with data subject rights, security, breaches, and DPIAs.
Return or deletionWhat happens to data at the end of the service.
Audits and informationMaking available the information needed to demonstrate compliance.

Instructions, security, and breach support

Three obligations tend to attract the most attention in practice. The processor must act only on documented instructions, must implement appropriate technical and organisational security measures, and must support the controller’s duties, including breach handling. Under the GDPR the supervisory authority must generally be notified of a personal data breach without undue delay and, where feasible, within 72 hours, so the processor’s duty to alert the controller promptly is critical.

Sub-processors and international transfers

The agreement should specify whether sub-processors are permitted, how the controller is informed of changes, and that sub-processors are bound by equivalent obligations. Where personal data leaves the EU or EEA, the contract must reflect a valid transfer mechanism, because the underlying GDPR transfer rules continue to apply regardless of the commercial deal.

How the agreement supports wider GDPR compliance

A GDPR data processing agreement does not stand alone. It plugs into the regulation’s broader framework: the core principles (lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability), the six lawful bases for processing, and data subject rights such as access, rectification, erasure, restriction, portability, and objection.

The contract is also evidence of accountability. Alongside your records of processing and, where required, DPIAs and the appointment of a data protection officer, it helps demonstrate that responsibilities are allocated and controlled. Non-compliance carries real consequences: fines can reach up to 20 million euro or 4% of global annual turnover, whichever is higher.

Practical drafting and review tips

  • Map each data flow and confirm the controller and processor roles before drafting.
  • Keep an up-to-date list of processors and their sub-processors.
  • Ensure security measures are specific enough to be meaningful, not just boilerplate.
  • Align retention and deletion terms with your own storage limitation policy.
  • Review agreements when services, vendors, or transfer routes change.
  • Check the official regulation text via the GDPR full text at gdpr-info.eu when interpreting specific obligations.

Frequently asked questions

Is a GDPR data processing agreement legally mandatory?

Yes. Where a processor handles personal data on a controller’s behalf, the GDPR requires a binding contract or other legal act. Proceeding without one can render the processing unlawful and expose both parties to enforcement.

Who is responsible for putting the agreement in place?

The controller is ultimately accountable for ensuring a compliant agreement exists, but both parties sign it and share defined obligations. Processors often provide a standard template, which the controller should still review carefully.

What happens if there is no agreement in place?

The arrangement may breach the GDPR, weaken your accountability position, and complicate breach response. Supervisory authorities can take action, and fines can reach up to 20 million euro or 4% of global annual turnover, whichever is higher.

Does the agreement cover international data transfers?

It should reference them. If personal data is transferred outside the EU or EEA, the contract must reflect a valid transfer mechanism, because the GDPR’s transfer safeguards apply independently of the commercial terms.

GDPR data processing agreement template
The editable GDPR Toolkit — includes a ready-to-use data processing agreement template.

Related guides

Our editable GDPR (EU Regulation 2016/679) toolkit includes a ready-to-use data processing agreement template plus supporting policies, records, and procedures you can tailor in minutes. Get the GDPR Toolkit and put a defensible agreement in place today.

Shopping Cart