Data Processing Agreements (DPAs) – heyData creates transparency

Data Processing Agreements (DPAs) – heyData creates transparency


In day-to-day business, a Conclusion of a Data Processing Agreements (DPAs) is a measure that is intended to strengthen consumer data protection due to the new, stricter EU requirements. If personal data is forwarded to third parties and processed, a so-called DPA is often concluded. The need for an DPA contract arises from a classic scenario. If a company (client) commissions another company (contractor) to view and process personal data, the responsibility for this data lies with the client. The contractor must at all times provide all necessary guarantees in accordance with Article 28 of the General Data Protection Regulation (GDPR). This article states that the processing of personal data may be carried out on behalf of the controller. Improper processing of personal data can lead to fines and a loss of image!

When is an DPA necessary?

The need for an DPA arises from a classic scenario. If a company (client) commissions another company (contractor) to view and process personal data, the responsibility for this data lies with the client. The contractor must at all times provide all necessary guarantees in accordance with Article 28 of the General Data Protection Regulation (GDPR). This article states that the processing of personal data may be carried out on behalf of the controller. Improper processing of personal data may result in fines and a loss of image!

Which data are considered personal?

Personal data is information that makes a person identifiable. On the Internet, we often come across the following data queries:

  • Name
  • address
  • E-mail contact information
  • telephone numbers
  • Account / credit card information
  • Dates of birth
  • IP addresses
  • Physical characteristics
  • Certificates or attestations

This is therefore very sensitive data. When processing this information, care must always be taken to determine whether external access is absolutely necessary for the performance of an activity.

Is the transfer of personal data to a business partner always commissioned processing?

No, from a legal point of view, commissioned processing only exists if the processing of personal data is carried out on behalf of the client and forms the main core of the agreed service. Commissioned services that do not mainly cover the area of data processing do not require the conclusion of an DPA.

Practical example:

  • A company providing maintenance of a printer (physical hardware, not software) does not usually require the conclusion of a contract processing agreement, because the core of the service provided is not the processing of personal data, but the maintenance of a device.
  • Confidential holders such as auditors or tax consultants are also not required to conclude a GCP. These professional groups are bound to secrecy by profession and therefore do not need an DPA.

In contrast, an advertising agency that sends out advertising flyers on behalf of a company and uses personal data such as postal or e-mail addresses, for example, must conclude a GDPR because the agency receives the address data from the client and must process it.

Other examples of a necessary DPA are:

  • Outsourcing of email management
  • External data collection
  • External backups
  • Data carrier disposal
  • External call center

Of course, it is difficult to precisely define the need for an DPA, and the boundaries often overlap. One important indicator of the need for an DPA contract is the authority to give instructions. If the external service provider is not authorized to decide freely on the performance and nature of the service, there is a binding of instructions to the client, and this makes an DPA contract mandatory.

Consulting services on the DPA contract? heyData is your reputable partner!

Regarding the administration of an DPA contract, heyData keeps track of everything. We provide you with legally compliant contract templates and are happy to advise you!

We support you as a client in the following points:

  • Provision of a legally compliant order processing contract
  • Advice on possible risks with the individual service providers
  • Monitoring of compliance with data protection obligations by the contractors

We support contractors in the following points:

  • Advice on the correct structuring of cooperation with clients in accordance with data protection law
  • Drafting of a legally secure order processing contract
  • Instructions on the correct implementation of the obligations arising from the GCU

heyData brings light into the darkness - The contents of the DPA contract

Drawing up an DPA contract (DPA DSGVO) causes difficulties for many companies, as there are many details to consider. heyData is your competent partner when it comes to the correct and data protection-compliant drafting of your DPA contract.

The following points have to be considered for an DPA contract:

1. Clarity of the contracting parties

The GC must name the client and the contractor (data processing party).

The object of the contract and the purpose of the processing of personal data must be defined here. The groups of persons concerned must also be named. To save space, this information can also be listed in an attachment.

2. Obligation of the client.

The principal has the constant responsibility for the processing of personal data and must protect the rights of the data subjects. He appoints persons authorized to give instructions. Irregularities or processing errors shall be written down.

3. Contractor obligations.

The contractor may only process data defined in the service agreement. In the event of a legal violation, the client must be informed immediately. The obligations of the contractor represent the core of an DPA, since data is handled in this processing area.

4. The Data Protection Officer.

If there is an external or internal data protection officer, this information will be included. Consultation with a data protection officer is recommended - heyData will be happy to advise you on this topic.

5. Reporting obligations of the contractor.

The contractor must guarantee compliance with data protection. In case of violations of the GDPR or other contractual obligations, the client must be notified immediately.

6. Cooperation of the Contractor.

The Contractor shall be obliged to support the Client in all areas relating to the processing of data. This shall include the handling of requests relating to the exercise of data subject rights and the preparation of processing lists.

7. Data protection control

The Client is legally authorized to check compliance with the GDPR at any time. An inspection at the Contractor's business premises shall be made possible.

8. Definition of a subcontracting relationship.

If the contractor is contractually permitted to employ a subcontractor, this must be written down in detail.

9. Confidentiality

Deut Contractor and its employees are obliged to maintain confidentiality when personal data is processed. The client's confidentiality rules must be observed.

10. Rights of data subjects.

According to Art. 12-23 GDPR, the client is obliged to process requests from data subjects. The Contractor is placed under the obligation to support the Client in this regard.

11. Disclosure of measures

The contractor is obliged to disclose all technical and organizational measures.

12. Duration of Cooperation

The start and termination of the contractual relationship is defined. Termination modalities are recorded.

13. Termination of the cooperation

Documents, data and all further results are to be handed over to the client or also deleted.

14. Closing clause

Defined final provisions are recorded.


In conclusion, a Data Processing Agreement (DPA) is an important measure to ensure data protection when processing personal data. You should be aware that the transfer of data to third parties and its processing can involve significant legal and financial risks if adequate safeguards are not in place.

An DPA regulates your rights and obligations as well as those of the contractor, thus creating transparency and legal certainty. It specifies how the data will be processed, what security measures must be taken, and how to deal with data breaches.

It is important that you carefully consider the need for an DPA and make sure that you work with trustworthy and reliable contractors. A reputable partner like heyData can assist you in creating and implementing an DPA and ensure that all legal requirements are met.

Protecting personal data is crucial in today's digital world. You need to make sure that you respect your customers' privacy and take all necessary measures to protect their data. A well-structured and comprehensive DPA is an important step in this direction.

If you have any questions about data protection and order processing contracts, heyData is happy to help. Trust our expertise and let's work together to make sure your data is safe and secure.

Do you have questions about data protection and DPAs? - heyData will be happy to advise you - Contact us!

About the Author

More articles

The biggest mistakes in contract and data protection management

Contract and data protection management platforms primarily help to save costs and time and simplify the day-to-day handling of data protection and contract law issues. Here you can find out which mistakes you should avoid.

Learn more

The confidentiality agreement and GDPR

What is a declaration of confidentiality according to DSGVO and what do I have to pay attention to? More in the article

Learn more
What's going to happen if I don't follow compliance requirements?

The consequences of non-compliance

Non-compliance with data protection laws can result in severe penalties, reputation damage, and legal disputes. In this article, we explore the consequences of non-compliance and emphasise the importance of compliance to gain customer trust and secure business success.

Learn more

Get to know our team today, with no obligations!

Contact us