Data Processing Agreements: Managing Vendor Relationships
When you share personal data with third parties (cloud providers, analytics tools, payment processors), GDPR requires formal agreements governing how they handle that data. These Data Processing Agreements (DPAs) are legally required, not optional.
Key Takeaways
| Point | Summary |
|---|---|
| When required | Whenever you (controller) share personal data with a third party (processor) |
| Common examples | Cloud hosting (AWS, GCP), email (Mailchimp), analytics (Google Analytics), CRM (Salesforce) |
| Required clauses | Subject/duration, nature/purpose, data types, processor obligations, security measures |
| Most vendors have DPAs | Major cloud/SaaS providers have standard DPAs available for signing |
| You're responsible | Controller liable for choosing compliant processors and having proper agreements |
Quick Answer: You need a DPA with every vendor that processes personal data on your behalf (cloud, analytics, email services, etc.). Most major vendors have standard DPAs ready to sign. Review them for required GDPR clauses before signing.
When is a DPA Required?
A DPA is required whenever you (as controller) engage a third party (processor) to process personal data on your behalf.
DPA Requirement Assessment:
You are the Controller when you:
- Decide what data to collect
- Determine why data is processed
- Choose how data is used
- Bear responsibility for compliance
Third Party is a Processor when they:
- Process data on your instructions
- Don't determine their own purposes
- Act under your direction
- Examples: Cloud hosting, email services, analytics
DPA Required?
- If processor handles personal data → YES
Common Processor Relationships
| Service Type | DPA Required? | Examples |
|---|---|---|
| Cloud Hosting | Yes | AWS, GCP, Azure |
| Email Marketing | Yes | Mailchimp, SendGrid |
| Analytics | Yes (if personal data) | Mixpanel, Amplitude |
| Payment Processing | Yes | Stripe, PayPal |
| Customer Support | Yes | Intercom, Zendesk |
| CRM | Yes | HubSpot, Salesforce |
| HR/Payroll | Yes | Gusto, Rippling |
DPA Requirements Under GDPR
Article 28 specifies mandatory contents for DPAs:
Required Clauses
| Requirement | What It Means |
|---|---|
| Subject Matter and Duration | What processing, how long |
| Nature and Purpose | Why processing occurs |
| Data Types | Categories of personal data |
| Data Subject Categories | Whose data (users, employees, etc.) |
| Controller Obligations | Your responsibilities |
| Processor Obligations | Vendor responsibilities |
Processor Obligations in DPA
The processor must:
Processor Obligations (Article 28):
1. Follow Instructions
- Only process on controller's documented instructions
2. Confidentiality
- Ensure personnel are bound by confidentiality
3. Security
- Implement appropriate technical/organizational measures
4. Sub-Processors
- Only engage with prior authorization
- Impose same obligations on sub-processors
5. Assistance
- Help with data subject requests
- Help with security and breach notification
- Help with DPIAs if required
6. Data Return/Deletion
- Return or delete data at end of service
7. Audits
- Allow and contribute to audits
- Provide information for compliance demonstration
DPA Template Structure
A comprehensive DPA should include:
Core Sections
Data Processing Agreement Outline:
1. Definitions
- Controller, Processor, Personal Data
- GDPR-aligned terminology
2. Scope of Processing
- Services description
- Duration
- Processing activities
3. Controller Obligations
- Lawful basis responsibility
- Instruction documentation
- Compliance with GDPR
4. Processor Obligations
- Process only on instructions
- Confidentiality requirements
- Security measures
- Sub-processor requirements
- Data subject rights assistance
- Breach notification
- DPIA assistance
- Audit rights
5. Sub-Processors
- Approval mechanism
- List of current sub-processors
- Notification of changes
6. Security Measures
- Technical measures
- Organizational measures
- Specific requirements
7. International Transfers
- Transfer mechanisms
- SCCs if applicable
- Adequacy decisions
8. Data Retention and Deletion
- Retention period
- Return/deletion procedures
9. Audit Rights
- Audit scope
- Audit procedures
10. Liability
- Allocation
- Indemnification
Annexes:
- Annex A: Description of Processing
- Annex B: Security Measures
- Annex C: Sub-Processors
- Annex D: Standard Contractual Clauses (if needed)
Managing Sub-Processors
Processors often use their own vendors (sub-processors). You have two options:
Option 1: Specific Authorization
Approve each sub-processor individually.
| Pros | Cons |
|---|---|
| Full control | Administrative burden |
| Know exactly who processes data | May delay service changes |
| Can refuse specific sub-processors | Requires ongoing monitoring |
Option 2: General Authorization
Pre-approve use of sub-processors with notification of changes.
| Pros | Cons |
|---|---|
| Less administrative work | Less control over specifics |
| Processor flexibility | Must track notifications |
| Standard in SaaS agreements | Relies on objection mechanism |
Sub-Processor Objection Process
With general authorization, DPAs typically include:
Sub-Processor Change Process:
Processor Adds Sub-Processor:
- Notifies controller (e.g., 30 days advance)
- Provides sub-processor details
- Explains processing involved
Controller Options:
- Accept change (explicit or by not objecting)
- Object within specified period
- If objecting:
- Discuss alternatives with processor
- May terminate affected services
- Avoid unreasonable objection
Reviewing Vendor DPAs
When evaluating a vendor's DPA:
Key Review Points
| Area | What to Check |
|---|---|
| Scope | Does it cover all processing activities? |
| Instructions | Can you provide documented instructions? |
| Security | Are measures adequate for your data? |
| Sub-processors | Do you know who they are? |
| International Transfers | Are appropriate safeguards in place? |
| Breach Notification | Is timing acceptable (24-48 hours ideal)? |
| Audit Rights | Can you audit if needed? |
| Deletion | Will data be properly deleted? |
Red Flags
| Red Flag | Concern |
|---|---|
| No DPA offered | Non-compliant vendor |
| Cannot customize | May not meet your needs |
| No sub-processor list | Lack of transparency |
| Limits on security details | Can't assess adequacy |
| No audit rights | Can't verify compliance |
| Unclear data location | Transfer risk |
| Long breach notification | Risk to your compliance |
Standard Contractual Clauses (SCCs)
For international transfers to countries without adequacy decisions:
When SCCs Are Needed
| Transfer Destination | SCC Required? |
|---|---|
| EU/EEA | No |
| UK (from EU) | Sometimes (check current status) |
| Adequacy countries (Canada, Japan, etc.) | No |
| USA (DPF-certified organizations) | No (adequacy per Decision 2023/1795) |
| USA (non-DPF-certified) | Yes |
| Other countries | Yes |
SCC Implementation
SCC Integration:
Module Selection (2021 SCCs):
- Module 1: Controller to Controller
- Module 2: Controller to Processor (most common)
- Module 3: Processor to Processor
- Module 4: Processor to Controller
Required Annexes:
- Annex I: Parties and Transfer Details
- Annex II: Technical/Organizational Measures
- Annex III: Sub-Processors (if applicable)
Transfer Impact Assessment:
- Assess destination country laws
- Evaluate supplementary measures needed
- Document assessment
Note on SCC Transition: The 2021 SCCs (Commission Implementing Decision 2021/914) replaced the previous 2010 SCCs. The transition period ended on December 27, 2022, meaning all international data transfers must now use the 2021 SCCs. Organizations should have migrated all existing contracts to the new clauses by this deadline. Any legacy agreements still referencing the 2010 SCCs should be updated immediately.
DPA Management Process
Initial Setup
- Inventory vendors processing personal data
- Check existing contracts for DPA coverage
- Request DPAs from vendors without them
- Review and negotiate key terms
- Execute and file DPAs
Ongoing Management
| Activity | Frequency |
|---|---|
| New vendor DPA review | Before onboarding |
| Sub-processor updates | As notified |
| DPA renewal review | At contract renewal |
| Vendor compliance check | Annually |
| DPA inventory update | Quarterly |
DPA Tracking
| Vendor | DPA Status | Expiry | Sub-Processors | SCCs |
|---|---|---|---|---|
| AWS | Signed | N/A | List on file | Yes |
| Stripe | Signed | N/A | List on file | Yes |
| Mailchimp | Signed | N/A | Notified changes | Yes |
| Internal CRM | Needed | - | Unknown | TBD |
Vendor Assessment Questionnaire
Before signing a DPA, assess the vendor:
| Question | Why It Matters |
|---|---|
| What personal data will you process? | Understand scope |
| Where is data processed/stored? | Transfer implications |
| What security measures do you have? | Adequacy assessment |
| Do you use sub-processors? | Supply chain risk |
| How do you handle DSARs? | Can you fulfill rights? |
| What's your breach notification process? | Meet 72-hour obligation |
| Can we audit your compliance? | Verification ability |
| What happens at termination? | Data return/deletion |
How Bastion Helps
Managing DPAs across all vendors can become complex as your vendor ecosystem grows. Working with experienced partners helps ensure comprehensive coverage without overwhelming your team.
| Challenge | How We Help |
|---|---|
| DPA Templates | Pre-approved templates for common vendor scenarios |
| Vendor Assessment | Structured questionnaires and guidance for evaluating vendor compliance |
| DPA Tracking | Centralized inventory with reminders for renewals and reviews |
| Negotiation Support | Expert guidance on key terms when vendor DPAs need modification |
| Ongoing Monitoring | Tracking sub-processor changes and DPA updates across your vendor ecosystem |
Having additional expertise helps ensure DPA coverage is complete and appropriate—avoiding the gaps that often surface during audits or security reviews by enterprise customers.
Looking for help managing vendor agreements? Talk to our team →