DPA Review

A Data Processing Agreement (DPA) is a legally binding contract required under Art. 28 GDPR between a controller (your company) and a processor (e.g. a cloud provider, IT service provider, or marketing platform). It governs how the service provider may process personal data on your behalf, what technical and organisational measures they implement, and what rights you have as the data controller.

Any time an external service provider processes personal data on your behalf - not for their own purposes. Typical examples: cloud services (Microsoft 365, Google Workspace, AWS, Azure), email marketing tools, CRM systems, external payroll processing, IT support with system access, accounting SaaS, video conferencing services, hosting providers, HR software. The list is longer than most companies expect.

Art. 28 GDPR prescribes a minimum content: subject matter, duration, nature and purpose of processing, type of personal data, categories of data subjects, and the obligations and rights of the controller. Additionally: confidentiality obligations, security measures (TOMs), sub-processing, support obligations for data subject requests, deletion/return upon contract termination, and accountability obligations. A DPA template from the service provider is often not sufficient - it must cover your specific case.

Usually not fully. Many service providers offer template DPAs that meet the minimum legal requirements - but don't always accurately reflect your specific processing activities. We check whether the submitted DPA matches your actual processing activities, whether the agreed TOMs are adequate, and whether provisions on sub-processors are complete and acceptable.

The absence of a DPA where processing is outsourced is a direct GDPR violation. Supervisory authorities actively check this, especially following data breaches or complaints. Fines can reach up to EUR 10 million or 2% of global annual turnover. Beyond fines, affected individuals can claim damages and reputational harm may follow.

We start by jointly inventorying all your external service providers with access to personal data. For each one we check: Is a DPA in place? Is it GDPR-compliant? Does it cover the actual processing? Are the TOMs adequate? For missing DPAs we draft templates; for inadequate ones we assist with renegotiations. At the end you receive a complete DPA overview as part of your data protection documentation.

Yes, and this is particularly critical. If service providers transfer data to countries outside the EU/EEA (e.g. the USA), you additionally need a transfer mechanism - such as EU Standard Contractual Clauses (SCCs). We check whether your service providers transfer data to third countries and whether the required safeguards are in place. Particularly relevant: many US SaaS services (even with EU data centres) may fall under US law.