From Consent to Contract: When You Need a DPA (and When You’re Missing One)
Introduction
One of the most overlooked GDPR requirements is also one of the most important: the Data Processing Agreement (DPA). Many businesses still don’t realise that whenever they share personal data with a third-party processor — whether it’s a cloud service, SaaS tool, freelancer, or agency — they are legally required to have a DPA in place.
Without it, you’re not only risking non-compliance but also putting your customers’ personal data (and your own liability) at risk.
This article explains when you need a DPA, common mistakes to avoid, and how to protect your organisation with the right contracts — from consent all the way to control.
What Is a Data Processing Agreement (DPA)?
A Data Processing Agreement (DPA) is a contract that governs the relationship between a data controller (you) and a data processor (a third-party service provider). It ensures that personal data shared with a vendor is handled in compliance with applicable privacy laws.
Under Article 28 of the GDPR, a DPA is mandatory whenever a data controller engages a processor. The agreement must specify the nature and purpose of processing, the types of personal data involved, the duration, and the obligations and rights of both parties. It also requires the processor to:
- Process data only on documented instructions
- Implement appropriate technical and organisational security measures
- Help the controller meet data subject rights
- Allow audits and inspections
- Ensure sub-processors are properly contracted
DPAs are also required under many US state privacy laws:
- Under the CCPA/CPRA (California), contracts must be in place with “service providers” to limit their use of personal data and ensure no further sharing or selling occurs.
- Other states like Colorado (CPA), Virginia (VCDPA), Utah (UCPA), and Connecticut (CTDPA) require similar contractual agreements to define the scope of data processing and impose security and confidentiality duties.
In short, wherever you operate — EU, UK, or US — you need proper written contracts in place with any third party that processes personal data on your behalf. A DPA is a legally binding contract between a data controller and a data processor. It outlines:
- What data is being processed
- Why it’s being processed
- How it will be protected
- The responsibilities of each party
DPAs are required under Article 28 of the GDPR whenever a controller outsources any personal data processing to a processor.
When You Must Have a DPA
You need a DPA every time you:
- Use a cloud platform (like AWS, Google Cloud, Microsoft Azure)
- Hire a marketing agency or freelancer who handles personal data
- Use CRM systems, HR tools, or analytics providers
- Integrate chatbots, newsletter tools, or payment processors
📌 If someone processes personal data on your behalf, you must have a DPA. No exceptions.
When a DPA Alone Isn’t Enough
Even if you have a DPA, it’s not a silver bullet. You also need:
- Clear consent from individuals when required (e.g. for marketing, cookies)
- Transparency in your privacy notice about your processors
- Vendor risk assessments to ensure your partners are compliant
- SCCs or other safeguards for international transfers
Common DPA Mistakes We See
- Using outdated or copy-paste templates
- Forgetting to sign the DPA (yes, really!)
- Not specifying key details: data types, security measures, retention
- Omitting processor audit rights or breach notification clauses
- Having no DPA at all — especially with freelancers or new SaaS tools
✅ DPA Compliance Checklist (GDPR, CCPA & Beyond)
Use this checklist to ensure your contracts with processors are legally sound and privacy-compliant:
📄 When You Need a DPA:
- You use a cloud service or SaaS tool that stores personal data
- You share customer data with a marketing agency or freelancer
- You integrate third-party tools (e.g. chatbots, analytics, HR software)
- You process personal data via a non-EU or US-based vendor
🧾 What a Proper DPA Should Include:
- Clear purpose of processing and lawful basis
- Categories of personal data and data subjects
- Security measures (technical and organisational)
- Processor’s obligation to follow your instructions only
- Restrictions on sub-processors
- Data breach notification timelines
- Data return or deletion terms after contract ends
- Support for fulfilling data subject rights (DSARs, erasure, etc.)
- Right to audit and inspect processor’s operations
🌐 Jurisdiction-Specific Clauses:
- GDPR Article 28 language and controller-processor duties
- CCPA/CPRA service provider language (no “selling” or secondary use)
- SCCs for international data transfers (if outside the EU/UK)
- Colorado, Virginia, Connecticut clauses for U.S. operations (as needed)
✅ How DPO & Privacy Support Helps You Get DPAs Right
📘 Need help beyond contracts? Explore our DPO-as-a-Service offering for continuous support →
📄 Not sure if your privacy notice covers your processors? Review or update your privacy notice →
📬 Unsure how your DPA supports your DSAR workflow? Read our DSAR response guide →
🤖 Using AI tools to process data? Make sure your contracts reflect AI-specific risks →
We help you turn vague, risky contracts into fully GDPR-compliant processing arrangements:
📄 Need to draft a DPA from scratch?
We create clear, customised DPAs that match your actual data flows.
👉 Get a tailored DPA →
📋 Already using templates?
We review your existing DPAs for missing clauses and compliance gaps.
🌍 Working with non-EU vendors?
We guide you through Standard Contractual Clauses (SCCs) and international transfer assessments.
💼 Hiring freelancers or agencies?
We help you secure proper terms before onboarding any external processor.
👤 Need long-term support?
Use our DPO-as-a-Service to manage your contracts, vendors, and audits. 👉 Explore full DPO support →
