Data Processing Agreement (DPA): What It Is and When You Need One

If your business uses third-party services that process customer data — think email marketing platforms, payment processors, cloud hosting providers, or CRM systems — you’re legally required to have a Data Processing Agreement (DPA) in place under GDPR and UK data protection law.

Yet many businesses either don’t have DPAs at all, or they sign generic processor terms without understanding what they actually commit to. That’s a compliance risk that can result in regulatory fines, breaches of contract, and loss of customer trust.

This guide explains what a DPA is, when you need one, what clauses it must include, and how to create a compliant data processing agreement template quickly and affordably.

What Is a Data Processing Agreement?

A Data Processing Agreement is a contract between a data controller (the business that determines why and how personal data is processed) and a data processor (a third party that processes personal data on behalf of the controller).

Under GDPR Article 28, any time a controller engages a processor, they must have a written contract that includes specific data protection clauses. This contract is called a DPA.

Controller vs Processor: The Key Distinction

Understanding the difference between controllers and processors is essential:

• Data Controller: The organisation that decides what personal data to collect and how to use it. Example: an e-commerce business collecting customer names and addresses.
• Data Processor: A third party that processes personal data on behalf of the controller according to the controller’s instructions. Example: the email marketing platform the e-commerce business uses to send newsletters.

If you’re the controller, you need a DPA with every processor you use. If you’re the processor, you need to offer a DPA to your customers (the controllers).

When Do You Need a Data Processing Agreement?

You need a DPA whenever you engage a third-party processor. Common scenarios include:

• Email marketing: Using Mailchimp, ConvertKit, Klaviyo, or similar platforms to manage subscriber lists and send campaigns.
• Payment processing: Using Stripe, PayPal, or other payment gateways that handle customer payment details.
• Cloud hosting: Using AWS, Google Cloud, Vercel, or other providers that host your application and store user data.
• Customer support: Using Intercom, Zendesk, or help desk software that accesses customer information.
• Analytics: Using Google Analytics, Mixpanel, or similar tools that collect and process user behaviour data.
• CRM systems: Using Salesforce, HubSpot, or other platforms that store customer records.
• Accounting software: Using Xero, QuickBooks, or similar services that process invoices containing personal data.

Even if the processor is a well-known, reputable company, GDPR still requires a written DPA. Most established SaaS providers offer a standard DPA as part of their terms — make sure you review and accept it.

What If the Processor Refuses to Sign a DPA?

If a processor refuses to provide a GDPR-compliant DPA, that’s a red flag. Under GDPR, you (the controller) are responsible for ensuring your processors comply with data protection law. Using a non-compliant processor puts you at risk of regulatory action, not just them.

Solution: find a different processor that takes GDPR seriously, or negotiate appropriate contractual terms that meet Article 28 requirements.

What Must a Data Processing Agreement Include?

GDPR Article 28(3) specifies the minimum clauses that every DPA must contain. Here’s what your data processing agreement template needs:

1. Subject Matter and Duration

The DPA must clearly state what processing activities the processor will perform and for how long. Example: “The Processor will store and manage customer email addresses for the purpose of sending marketing campaigns, for the duration of the service agreement.”

2. Nature and Purpose of Processing

Describe what the processor will do with the data. Example: “Processing will involve storing, organising, and transmitting email addresses and names to deliver email campaigns on behalf of the Controller.”

3. Types of Personal Data

List the categories of personal data involved. Example: names, email addresses, IP addresses, purchase history, etc.

4. Categories of Data Subjects

Identify whose data is being processed. Example: customers, newsletter subscribers, website visitors, employees, etc.

5. Controller’s Instructions

The processor must only process data according to the controller’s documented instructions. The DPA should state that the processor will not process data for any other purpose without prior written consent.

6. Confidentiality Obligations

The processor must ensure that anyone processing the data is bound by confidentiality obligations (either contractual or statutory).

7. Security Measures

The DPA must specify that the processor will implement appropriate technical and organisational measures to ensure data security (encryption, access controls, regular security audits, etc.).

8. Sub-Processors

If the processor uses sub-processors (third parties they engage to help with processing), the DPA must:

• Require the controller’s prior written consent (general or specific)
• Ensure sub-processors are bound by equivalent data protection obligations
• Hold the processor liable for the sub-processor’s compliance

9. Data Subject Rights

The processor must assist the controller in responding to data subject requests (access, rectification, erasure, etc.) by providing necessary information and technical cooperation.

10. Data Breach Notification

The processor must notify the controller “without undue delay” after becoming aware of a personal data breach. Many DPAs specify a timeframe (e.g., within 24 or 48 hours).

11. Assistance with Compliance

The processor must help the controller comply with GDPR obligations, including:

• Data protection impact assessments (DPIAs)
• Prior consultations with supervisory authorities
• Demonstrating compliance with security obligations

12. Deletion or Return of Data

At the end of the processing relationship, the processor must delete or return all personal data (at the controller’s choice) unless legal obligations require continued storage.

13. Audit Rights

The controller must have the right to audit the processor’s compliance, either by conducting audits themselves or engaging an independent auditor. Many DPAs allow this once per year or upon reasonable notice.

14. International Data Transfers

If the processor transfers personal data outside the UK or EU, the DPA must include appropriate safeguards (Standard Contractual Clauses, adequacy decisions, or other approved transfer mechanisms).

Common Mistakes Businesses Make with DPAs

1. Not Having a DPA at All

Many businesses assume that because a processor is “GDPR compliant,” they don’t need a DPA. Wrong. GDPR requires a written contract regardless of the processor’s reputation. Even using a household-name SaaS tool without reviewing their DPA is a compliance gap.

2. Signing Generic Processor Terms Without Review

Most SaaS platforms offer a standard DPA buried in their legal documentation. Many businesses click “I agree” without reading. The problem: some standard DPAs have controller-unfriendly terms (e.g., no liability for breaches, limited audit rights, vague sub-processor provisions). Always review before accepting.

3. Forgetting About Sub-Processors

Your processor may use sub-processors (e.g., a cloud infrastructure provider). If your DPA doesn’t address sub-processors, you could be non-compliant. Ensure your DPA requires notification and consent for sub-processors, and that those sub-processors are bound by equivalent obligations.

4. Ignoring International Transfers

If your processor stores data outside the UK/EU (e.g., on US-based servers), you need transfer mechanisms in place (Standard Contractual Clauses, adequacy decisions, etc.). Many businesses overlook this, creating serious compliance risk.

5. Not Updating DPAs When Services Change

If the scope of processing changes (e.g., you start collecting new types of data, or the processor changes their sub-processors), your DPA should be updated accordingly. An outdated DPA is a weak DPA.

How to Create a Data Processing Agreement

You have three main options for creating a DPA:

1. Use the Processor’s Standard DPA

Most reputable SaaS providers offer a standard DPA. Review it carefully against the GDPR Article 28 checklist above. If it covers all required clauses and the terms are acceptable, you can simply accept it.

Pros: Fast, often free.
Cons: Processor-friendly terms, limited negotiation power.

2. Draft Your Own DPA Template

If you’re a processor offering services to controllers, or if you need a custom DPA for a specific processing relationship, you can draft your own.

Pros: Fully customised, controller-friendly terms.
Cons: Time-consuming, requires legal expertise, expensive if using a solicitor (£500–£2,000+).

3. Use LegalForge to Generate a DPA in Minutes

LegalForge’s AI-powered policy generator can create a fully compliant, jurisdiction-specific data processing agreement template in under 5 minutes for just £19.

You answer a few questions about your business, the processing activities, the types of data involved, and any sub-processors — and LegalForge generates a complete, customised DPA ready to send to your processor or customers.

Pros: Fast, affordable, compliant, customised to your business.
Cons: Still a template (complex cases may need solicitor review).

What Happens If You Don’t Have a DPA?

Operating without a compliant DPA puts your business at risk:

• GDPR fines: Controllers can be fined up to €10 million or 2% of global annual turnover (whichever is higher) for failing to use a contract that meets Article 28 requirements.
• ICO enforcement: The UK Information Commissioner’s Office can issue enforcement notices, conduct audits, and impose fines for non-compliance.
• Liability for breaches: If your processor causes a data breach and you have no DPA, you could be held liable for failing to ensure appropriate safeguards.
• Loss of customer trust: B2B customers increasingly ask to see your DPA during onboarding. Not having one signals poor data governance.

Final Thoughts: Get Your DPA in Place Today

A Data Processing Agreement is not optional — it’s a legal requirement under GDPR and UK data protection law. Whether you’re a controller using third-party services or a processor offering services to other businesses, you need compliant DPAs in place.

Don’t wait until a processor asks for one, or until the ICO comes knocking. Get your data processing agreement template sorted today.

Ready to create a compliant DPA in minutes? Use LegalForge to generate a customised, jurisdiction-specific Data Processing Agreement for just £19 — no solicitor required.