GDPR Data Processing Agreements: requirements, clauses, and vendor management

GDPR distinguishes between controllers (entities determining purposes and means of processing) and processors (entities processing personal data on behalf of controllers). Most SaaS companies operate as both: controllers for their own employee and marketing data, and processors when handling customer personal data.

Article 28(3) requires a written contract or legal act between controllers and processors governing all processing activities. Verbal agreements, terms of service alone, or informal arrangements do not satisfy this requirement.

The DPA must be in place before processing begins. Retroactive DPAs created after processing has started create compliance gaps that supervisory authorities may identify during investigations or audits.

Article 28(3) specifies mandatory DPA content. The agreement must stipulate: subject matter and duration of processing, nature and purpose, type of personal data, categories of data subjects, and controller obligations and rights.

Processors must process personal data only on documented controller instructions, ensure confidentiality of persons authorized to process, implement Article 32 security measures, and comply with subprocessor requirements.

Additional mandatory provisions include: assisting controllers with data subject rights requests, assisting with security and breach obligations, deleting or returning data after service termination, and making available information necessary to demonstrate compliance including allowing audits.

• Subject matter, duration, nature, and purpose of processing
• Types of personal data and categories of data subjects
• Processor obligation to act only on documented instructions
• Confidentiality obligations for authorized processing personnel
• Article 32 security measure requirements
• Subprocessor authorization and notification procedures
• Assistance with data subject rights and breach obligations
• Data deletion or return upon service termination
• Audit and inspection rights for controllers

For cross-border transfers outside the EEA, Standard Contractual Clauses (SCCs) must be incorporated into or attached to the DPA. The European Commission's 2021 SCCs module structure depends on the transfer scenario: controller-to-controller, controller-to-processor, processor-to-processor, or processor-to-controller.

US SaaS companies typically use Module 2 (controller to processor) or Module 3 (processor to processor) SCCs. Ensure the SCC annexes accurately describe data categories, processing purposes, and security measures.

Transfer impact assessments may be required alongside SCCs, particularly for transfers to countries without adequacy decisions. Document the assessment and any supplementary measures implemented.

Article 28(2) requires processor authorization for engaging subprocessors. DPAs should specify whether subprocessors require general written authorization or specific prior approval for each subprocessor.

Article 28(2) also requires that processors impose the same data protection obligations on subprocessors through contract. Subprocessor DPAs must mirror the Article 28(3) mandatory clauses.

Maintain a subprocessor register accessible to controllers, with notification procedures for subprocessor changes. Many SaaS companies publish subprocessor lists on their websites and provide advance notice before adding new subprocessors, allowing controllers to object.

Enterprise customers often provide their own DPA templates with additional requirements beyond Article 28 minimums: specific security certifications, insurance requirements, breach notification timelines shorter than 72 hours, and detailed audit provisions.

GRC and legal teams should maintain a standard DPA template aligned to Article 28 requirements as the starting point for negotiations. Pre-approved fallback positions on common negotiation points (audit frequency, liability caps, subprocessor objection periods) accelerate deal closure.

Track DPA execution status in a central register linked to vendor and customer records. Expired or unsigned DPAs for active processing relationships represent compliance gaps.

Article 28(3)(h) grants controllers the right to conduct audits and inspections of processor compliance. In practice, processors typically satisfy this through SOC 2 reports, ISO 27001 certificates, or standardized audit questionnaires rather than on-site inspections for every customer.

Prepare an audit response package: current SOC 2 Type II report, ISO 27001 certificate, subprocessor register, security whitepaper, and completed SIG or CAIQ questionnaire. Proactive package availability reduces customer audit burden and accelerates vendor approval.

For processors without SOC 2 or ISO certification, consider third-party assessments or penetration test reports as alternative compliance demonstration, supplemented by detailed security documentation.

GRC teams should maintain two DPA registers: DPAs where your organization is the controller (vendor DPAs), and DPAs where your organization is the processor (customer DPAs). Each entry should include: counterparty, processing scope, execution date, renewal date, and subprocessor dependencies.

Establish DPA review triggers: vendor onboarding, annual vendor review, subprocessor changes, regulatory updates, and service scope changes. DPAs should be reviewed and updated when processing activities materially change.

Integrate DPA management with your broader vendor risk management program. Security assessments, subprocessor monitoring, and breach notification testing should reference DPA obligations and contractual timelines.