Data Processing Agreement (DPA)

Definition

A Data Processing Agreement (DPA) is a legally binding contract required under Article 28 of the General Data Protection Regulation (GDPR) whenever a data controller engages a data processor to process personal data on its behalf. The DPA must define the subject matter and duration of processing, the nature and purpose of the processing, the types of personal data involved, the categories of data subjects, and the rights and obligations of the controller.

A DPA is not a voluntary arrangement but a legal requirement. Processing personal data through a third party without a valid DPA constitutes a GDPR violation, regardless of whether the actual data processing is conducted properly. Penalties for non-compliance can reach up to 10 million euros or 2% of global annual revenue. Common data processors include cloud providers, email service providers, hosting companies, and file transfer platforms.

Simply Explained

Imagine you hire a moving company to transport your valuable furniture from one house to another. You give the company clear instructions: which furniture to move, how it should be packed, and that nothing may be damaged. The contract with the moving company specifies exactly what should happen and who is liable if something goes wrong.

A Data Processing Agreement works the same way, except with data instead of furniture. When you use a cloud service that stores or processes customer data, you need a DPA. It specifies what the service provider may do with the data, how they must protect it, and what happens in case of a data breach. Without this agreement, it would be like giving a stranger your house key without agreeing on what they may do with it.

Why Does It Matter?

The Data Processing Agreement is the foundation of any lawful data processing by third parties. For businesses working with external service providers, it is indispensable:

• Legal Requirement: Article 28 GDPR mandates a DPA for every data processing relationship. The absence of a DPA is a data protection violation in itself, even if the actual processing is flawless.
• Liability Distribution: The DPA clearly defines who is liable in case of damage. Without a DPA, the controller bears sole liability, even for the processor's errors.
• Oversight Obligation: Companies must verify that their processors have implemented appropriate technical and organizational measures to protect the data.
• Sub-processors: The DPA regulates whether and under what conditions the processor may engage sub-processors. Without this regulation, data could be passed to third parties without control.
• Audit Readiness: During inspections by supervisory authorities, the DPA is one of the first documents requested. Its absence is an immediate ground for objection.

Practical Example

An accounting firm uses an online platform where clients can upload their documents. The platform stores the files in the cloud and provides access to the firm's staff. The uploaded documents contain personal data: names, tax identification numbers, and salary information.

The firm is the data controller; the platform is the data processor. Without a DPA, this arrangement violates Article 28 GDPR. The DPA must specify, among other things:

• What data is processed (client documents containing personal data)
• How long the data is stored
• What security measures the platform has implemented
• That the platform processes data only on the firm's instructions
• How data breaches are handled
• Which sub-processors (e.g., the hosting provider) are used

During an audit by the supervisory authority, the firm can present the DPA and demonstrate that it has fulfilled its duty of care.

How SendMeSafe Implements This

SendMeSafe takes data processing obligations seriously and provides businesses with all the tools needed for a legally compliant partnership:

• Complete DPA: Every customer receives a comprehensive Data Processing Agreement that meets all requirements of Article 28 GDPR. The DPA can be reviewed and accepted directly in the organization settings.
• Transparent Sub-processors: We disclose which sub-processors we use (Hetzner Cloud for hosting and storage in Germany) and inform about any changes.
• Technical and Organizational Measures: Our TOM document describes in detail the implemented security measures, from encryption to access controls to data backup.
• Instruction-Bound Processing: We process data exclusively according to our customers' instructions. Automated processing is limited to what is necessary for the service.
• Audit Trail: All access and processing activities are logged, allowing customers to track what happens with their data at any time.
• Deletion Policy: Files can be configured with automatic expiration dates. Upon termination of the contract, all data is deleted in accordance with the DPA provisions.

Frequently Asked Questions

When do I need a DPA?

You need a DPA whenever an external service provider processes personal data on your behalf. Common cases include: cloud storage, email marketing tools, hosting providers, CRM systems, file transfer platforms, and accounting software. The decisive factor is whether the service provider has or could have access to personal data.

What must a DPA contain?

Article 28(3) GDPR defines the minimum contents: subject matter and duration of processing, nature and purpose of processing, types of personal data, categories of data subjects, obligations and rights of the controller, technical and organizational measures, regulations on sub-processors, support for data subject rights, deletion after contract termination, and tolerance of audits.

What happens if I have not signed a DPA?

The absence of a DPA is an independent violation of the GDPR, regardless of whether an actual data protection issue has occurred. Supervisory authorities can impose fines of up to 10 million euros or 2% of annual revenue. In practice, DPAs are regularly requested during inspections, and their absence almost always results in a formal objection.

Can a DPA be concluded digitally?

Yes, the GDPR permits the conclusion of a DPA in electronic form. A digital DPA is just as legally valid as a paper document. At SendMeSafe, you can review and accept the DPA directly within the platform without any paper-based process.