NAALA | Not An Average Legal Advisor

A Guide to Crafting Effective Data Processing Agreements

By: Sofie Geurts – Graduate intern at NAALA 

Published on 4 May, 2023

A Guide to Crafting Effective Data Processing Agreements​


Sofie Geurts

Graduate intern at NAALA

Published on 4 May, 2023

In today’s digital age, businesses rely heavily on technology providers to process personal data of their customers. However, with the implementation of the General Data Protection Regulation (GDPR) in 2018, businesses are required to ensure that any third-party processor they work with has appropriate measures in place to protect the personal data they process. This is where Data Processing Agreements (DPAs) come into play. DPAs are legally binding contracts that outline the terms and conditions under which personal data is processed by third-party processors on behalf of data controllers.

In this blog post, we’ll outline the key terms and obligations that should be included in DPAs between technology providers and their customers to ensure compliance with GDPR requirements.

DPAs are like the rules of a team game between a data controller (e.g. your favourite online shop) and a data processor (like a cloud computing service provider), who are both on the same team. The game is about handling personal data in accordance with data protection laws, such as the GDPR. The team agrees to protect the privacy rights of individuals and comply with the GDPR when processing personal data, and the rules of the game are written in the DPA.

Let’s use an example to illustrate this. Imagine you run a digital startup that wants to use a cloud computing service provider to process users’ personal data. You are the data controller, as you control the data stored in the cloud and you determine the purpose of the processing, which is to store the data in the cloud. The cloud computing service provider is the processor of the data, as they only process the startup’s data at the startup’s request. They do not give a purpose to the processing, they only process the data on the instructions of the startup. This is because the cloud service provider only ensures that the data is in the cloud.

Getting excited about these terminologies? Read more on the European Commission’s website

Key terms and obligations

Now that we know what DPAs are, let’s look at the key terms and obligations that should be included in them.

1. Scope & roles and responsibilities (art. 28 sub 3 GDPR)

The scope of the DPA is like the map of the game. It tells you who who are part of the team, what the game is about, and how long the game will be played. The scope should include:

  • Who the parties are (data controller and data processor)
  • The subject of the DPA (processing of personal data)
  • The specific types of personal data that will be processed
  • The purpose of the processing
  • How long the data will be processed
Think of the roles and responsibilities as the positions of the players in the game. Each player has a different role to play and specific responsibilities to fulfil. In the DPA, it is important to define the roles and corresponding responsibilities of the data processor and the data controller. For example, the controller may be responsible for obtaining individuals’ consent to the processing of their personal data, while the data processor may be responsible for implementing appropriate technical and organisational measures to protect personal data.

“Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”

2. Execution of the processing (art. 28 sub 3 (a) GDPR)

The execution of processing is like the moves made during the game. Both the data processor and data controller need to agree on how personal data will be processed, and the agreed provisions must be included in the DPA so that both parties are bound by them. The DPA should outline how the processor will process the personal data for the benefit of the controller, in a manner necessary for the performance of the DPA. It is crucial to mention that the data processor should only process personal data on behalf and under the instruction of the data controller, and must not use the data for any other purpose.

“That contract or other legal act shall stipulate, in particular, that the processor:

(a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;”

2. Confidentiality (art. 28 sub 3 (b) GDPR)

Including a confidentiality clause in the DPA allows the processor to guarantee that all personal data they process for the controller will be kept strictly confidential. The processor should inform all employees and/or authorized sub-processors involved in processing the personal data about the confidential nature of the information and the personal data. Just as a player in a game would not share the game strategy with anyone outside the team, the processor must keep personal data confidential and ensure that it is only shared with those who have a legitimate need to access it.

“That contract or other legal act shall stipulate, in particular, that the processor:

(b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;”

3. Security (art. 28 sub 3 (c) GDPR)

In the game of data processing, each team needs to have a strong defense to prevent the opposing team from scoring, both the data controller and the data processor need to have appropriate measures in place to protect personal data. The controller may have a solid defense strategy in place, but if the processor fails to implement the same level of protection, the personal data is still at risk.

Therefore, the data processor should also implement appropriate technical and organizational measures, just like a team would have to train hard to develop their defense strategy. These measures can be based on standardized norms such as ISO 27001, which is globally recognized as a standard for appropriate information security measures. Additional standards, such as NEN 7510 in the Netherlands, may be required if personal data concerning health is processed.

The DPA should specify the technical and organizational measures to be implemented so that the controller can ensure that the processor’s measures provide at least the same level of protection as their own. This ensures that both parties are playing defense together, making it harder for any attackers to score against them.

“That contract or other legal act shall stipulate, in particular, that the processor:

(c) takes all measures required pursuant to Article 32;”

4. Sub-processors (art. 28 sub 3 (d) GDPR)

The data processor may be the captain of a team, with the data controller as the coach. Just as a captain may assign certain tasks to teammates to ensure the success of the team, a processor may hire sub-processors to assist with processing personal data on behalf of the controller. However, just as a captain must get approval from the coach before making any major decisions, the processor must obtain the prior written consent of the data controller before hiring any sub-processors.

Furthermore, just as all members of a team must adhere to the same rules and strategies set by the coach, any sub-processors hired by the processor must also be subject to the same data protection obligations as the processor itself. This ensures that the controller’s data is always handled in a secure and responsible manner.

In some cases, the parties may agree that the processor can change sub-processors without prior consent as long as notice is given to the controller and the controller is given the opportunity to object to it to ensure that the team works cohesively towards the same goal.

“That contract or other legal act shall stipulate, in particular, that the processor:

(d) respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;”

“The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.”

“Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations.”

5. Assistance in upholding GDPR obligations (art. 28 sub 3 (e) GDPR)

Just like in a team, everyone has a specific role to play to achieve the goal of winning. In the case of the DPA, the data controller is responsible for ensuring compliance with the GDPR, but the data processor also has an important role to play in helping the controller fulfill these obligations.

This is especially important when it comes to data subjects’ rights. The data processor should assist the data controller in responding to data subject requests, such as requests for access, rectification, erasure, or restriction of processing. This means that the processor should work together with the controller as a team, just like players on a sports team, to respond to these requests in a timely and efficient manner.

By working together, the data processor can assist the data controller in completing requests from data subjects by providing the necessary data or deleting it as requested. This cooperation is essential for ensuring that the controller can fulfill its obligations under the GDPR and maintain the trust of the data subjects whose personal data is being processed.

“That contract or other legal act shall stipulate, in particular, that the processor:

(e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III;”

6. Data breach notification (art. 28 sub 3 (f) GDPR)

There should be a plan in place in case of an unexpected event that could affect the performance of the team. The data processor should have a clear procedure in place that defines what steps to take in case of a data breach. This procedure should be agreed upon with the data controller to ensure that everyone is on the same page.

If a data breach occurs, the data processor must immediately notify the data controller. To ensure timely reporting, it is beneficial to include the 72-hour deadline in the DPA. This will help the data processor and data controller understand the urgency and importance of reporting the data breach as soon as possible.

“That contract or other legal act shall stipulate, in particular, that the processor:

(f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;”

7. Duration, termination and deletion (art. 28 sub 3 (g) GDPR)

The DPA must always be part of a main agreement that outlines details like pricing and service levels. This is obvious: after all, without services, no personal data would need to be processed on behalf of the controller. The duration of the DPA is tied to the length of the main contract, so when the main contract ends, the DPA also ends.

The DPA should include information on what will happen to personal data when the agreements end. The processor must delete or return the personal data to the controller at the controller’s discretion. Additionally, the processor must destroy all copies of the personal data since they will no longer be needed.

“That contract or other legal act shall stipulate, in particular, that the processor:

(g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;”

8. Compliance & audit (art. 28 sub 3 (h) GDPR)

Regular audits are like referee checks to make sure that all players are following the rules. The data controller is responsible for ensuring compliance with applicable laws and regulations, as well as the agreements with the processor. To verify compliance, the controller should have the right to audit the data processing activities of the processor. This allows the controller to check whether the processor is playing by the rules and protecting the personal data as agreed upon.

The processor should cooperate with the controller’s audits and provide all necessary information to demonstrate compliance. If the processor does not cooperate, it’s not a fair game. In such cases, the controller may suffer a disadvantage, which can lead to legal and reputational risks.

“That contract or other legal act shall stipulate, in particular, that the processor:

(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.”

In summary

Ensuring compliance with GDPR Article 28 is crucial for both data controllers and processors. A DPA should be established to ensure that the processor handles personal data responsibly and in accordance with the GDPR. This agreement should address various aspects such as technical and organizational measures, sub-processing, data breach notification, compliance and audit, and duration, termination, and deletion.

It’s important to keep in mind that if the data processor operates outside the EU or if they have servers or facilities outside the EEA, additional conditions may apply for processing personal data. This is particularly relevant in terms of potential transfers of personal data outside the EEA, which must be in compliance with the GDPR. To learn more about this topic, we invite you to check out our blog posts on international personal data sharing (see sidebar).

Did you know that a DPA doesn’t necessarily have to be a separate, fancy-pants document? It can actually be part of another agreement. It doesn’t need its own signature because it’s already covered by the main agreement. But don’t forget that the DPA still needs to be editable separately in case of changes to circumstances or processing. A DPA can be made available in various formats, such as via a website and referred to from the main agreement. Many large technology companies choose this method for their DPAs.

Great to know that you have taken the initiative to safeguard your customers’ personal data by crafting an effective DPA. At NAALA, our team of experts is ready to assist you in drafting or reviewing your DPA. In case you have further privacy-related questions, please feel free to contact us. We are always happy to be your trusted privacy officer and guide you towards GDPR compliance.

Questions? We are happy to discuss your specific case.


This blog post will provide you with an update on the current state of play and the available transfer mechanisms, including the new EU-US Privacy Shield replacement and other supplementary measures. Keep reading to discover how to safely and legally transfer personal data from the EU to the US.

Are you looking for a way to structure your security management efforts in a uniformly recognizable way? The international ISO 27001 norm provides organizations with guidance for the implementation of an information security management system. 

The frequent (digital) storage and sharing of this sensitive information must be secure and following privacy legislation, hence a high information security standard is required. ISO 27001 provides guidelines to organizations for secure storage and sharing of information. NEN 7510 is a Dutch information security standard specifically for the healthcare industry.

The other side of the world is becoming more accessible. Data is flowing from one continent to another. This brings tremendous opportunities, but also raises questions. How should you, as an organization, deal with such data? Which laws are important for this? 

Please note that all details and listings do not claim to be complete, are without guarantee and are for information purposes only. Changes in legal or regulatory requirements may occur at short notice, which we cannot reflect on a daily basis.