Auftragsverarbeitungsvertrag (AVV / DPA)
A contractual instrument under Article 28 of the GDPR that must be concluded between the controller (the client) and the processor (the service provider) when third parties process personal data on behalf of the controller. Without a DPA, data processing by the service provider is unlawful.
The Data Processing Agreement (DPA), also known by its English name, is the cornerstone of the data protection relationship between companies and their service providers. Failure to have one in place can result in GDPR fines—even if the data itself is processed securely.
When is a DPA required?
A DPA is always required when a service provider processes personal data on behalf of the company and is therefore bound by its instructions. Typical examples include:
- Cloud services (Microsoft 365, Google Workspace, AWS)
- Tax advisors and payroll services
- Marketing service providers (newsletter distribution)
- IT service providers (system administration, support)
- Call centers and web hosting providers
- HR software (Personio, Workday)
- CRM systems (Salesforce, HubSpot)
No DPA is required, however, if the service provider is an independent data controller (e.g., lawyers, doctors, banks) or if no personal data is processed at all.
Gray Areas
Some cases require careful review: Tax advisors usually need a DPA because they process employee data. Banks are independent controllers—no DPA is required, but banking secrecy applies. Interpreters who receive transcripts, on the other hand, do need a DPA.
Mandatory Content According to Art. 28(3) GDPR
A legally valid DPA must address at least the following points:
1. Subject matter, duration, nature, and purpose of the processing A precise description such as: “We commission XY to handle payroll processing for [...] employees for the period [...]. Data processed: name, IBAN, salary, [...]”
2. Type of personal data and categories of data subjects Specific listing: “Employees of the controller: name, address, date of birth, IBAN, salary, social security number, tax information”
3. Binding instructions for the processor Clear wording: “The data processor shall process data only on documented instructions.”
4. Confidentiality All authorized persons must be bound by confidentiality.
5. Technical and organizational measures (TOMs) Included in an appendix or listed directly—with specific measures (encryption, access control).
6. Subprocessors List of subprocessors or general authorization, coupled with a duty to notify in case of changes.
7. Supporting data subjects’ rights The service provider must assist with requests for access, erasure, and rectification.
8. Support with data protection obligations Cooperation regarding TOMs, data protection impact assessments, and reporting of data breaches.
9. Deletion or return after contract termination What happens to the data after the contract ends must be clearly regulated.
10. Documentation and audits The processor must allow the controller to conduct audits.
Standard Contractual Clauses and Templates
There are various options for drafting a DPA:
DSK (Data Protection Conference) Model DPA: Available free of charge and recognized by German supervisory authorities. Download at datenschutzkonferenz-online.de.
Provider-specific DPA: Microsoft allows the DPA to be accepted online in the Admin Center; Google offers a Google Workspace Data Processing Amendment; AWS integrates the DPA into the customer agreement. Important: Provider DPAs are often drafted unilaterally—it must be verified whether all mandatory content is fully included.
A custom DPA makes sense for smaller service providers without their own DPA, if the provider’s DPA is incomplete, or if specific requirements such as concrete audit rights are desired.
Data Processing vs. Joint Control
The classification of the legal relationship is crucial and has significant consequences:
| Relationship | Legal Basis | Characteristics | Example |
|---|---|---|---|
| Data processing | Art. 28 GDPR | Service provider acts only on instructions | Payroll accounting software (Personio) |
| Joint controllership | Art. 26 GDPR | Both parties jointly determine the purpose and means | Facebook Custom Audiences |
| Independent controllership | - | Service provider pursues its own purposes | Attorney, tax advisor bound by professional confidentiality |
The ECJ has ruled that fan page operators are jointly responsible with Meta—incorrect classification can result in substantial fines.
Review of Existing Data Processing Agreements
Completeness (Art. 28(3))
- Are the subject matter and duration described?
- Are the types of data and data subjects specified?
- Is the obligation to follow instructions established?
- Is confidentiality addressed?
- Are technical and organizational measures listed (Appendix)?
- Are subprocessors listed?
- Is support for data subjects’ rights provided?
- Deletion upon contract termination?
- Client’s audit rights?
Technical and Organizational Measures (Appendix)
- Specific measures (not just “appropriate”)?
- Encryption mentioned?
- Access control described?
- Backup and emergency procedures?
- Data breach notification process (72-hour deadline!)?
Transfers to third countries
- Is data transferred to third countries (USA, UK, etc.)?
- If so: Is there a legal basis? (EU-US Data Privacy Framework, SCCs)
- Subprocessors in the third country?
Common gaps
- TOMs formulated too generally: “we use appropriate measures”
- Subprocessors not up to date (new cloud providers missing)
- Transfers to third countries not addressed (US cloud!)
- No audit rights for the controller provided for
Fines for lack of a DPA
German Cases
Saxony-Anhalt (2019): A welfare organization had not concluded a DPA with its IT service provider. Since this was a first-time violation and the organization cooperated, a warning was issued.
Berlin (2019): Deutsche Wohnen was found to have committed several violations, including deficiencies in its DPA. These were included in a total fine of 14.5 million euros.
EU Cases
Sweden (2020): Company email with Google without a DPA – €75,000 fine.
Portugal (2019): A hospital did not have a DPA with its IT service provider – €400,000 fine.
Penalty Range
Under Art. 83(4) of the GDPR, fines of up to 10,000,000 euros or 2% of global annual turnover may be imposed (whichever is higher).
In practice, cooperative companies often receive warnings for first-time violations. However, significant fines are to be expected for deliberate violations or data breaches where no DPA is in place.
