Data Processing Agreements (DPAs) – heyData creates transparency

Data Processing Agreements (DPAs) – heyData creates transparency


In day-to-day business, a Conclusion of a Data Processing Agreements (DPAs) is a measure that is intended to strengthen consumer data protection due to the new, stricter EU requirements. If personal data is forwarded to third parties and processed, a so-called DPA is often concluded. The need for an DPA contract arises from a classic scenario. If a company (client) commissions another company (contractor) to view and process personal data, the responsibility for this data lies with the client. The contractor must at all times provide all necessary guarantees in accordance with Article 28 of the General Data Protection Regulation (GDPR). This article states that the processing of personal data may be carried out on behalf of the controller. Improper processing of personal data can lead to fines and a loss of image!

When is an DPA necessary?

The need for an DPA arises from a classic scenario. If a company (client) commissions another company (contractor) to view and process personal data, the responsibility for this data lies with the client. The contractor must at all times provide all necessary guarantees in accordance with Article 28 of the General Data Protection Regulation (GDPR). This article states that the processing of personal data may be carried out on behalf of the controller. Improper processing of personal data may result in fines and a loss of image!

Which data are considered personal?

Personal data is information that makes a person identifiable. On the Internet, we often come across the following data queries:

  • Name
  • address
  • E-mail contact information
  • telephone numbers
  • Account / credit card information
  • Dates of birth
  • IP addresses
  • Physical characteristics
  • Certificates or attestations

This is therefore very sensitive data. When processing this information, care must always be taken to determine whether external access is absolutely necessary for the performance of an activity.

Is the transfer of personal data to a business partner always commissioned processing?

No, from a legal point of view, commissioned processing only exists if the processing of personal data is carried out on behalf of the client and forms the main core of the agreed service. Commissioned services that do not mainly cover the area of data processing do not require the conclusion of an DPA.

Practical example:

  • A company providing maintenance of a printer (physical hardware, not software) does not usually require the conclusion of a contract processing agreement, because the core of the service provided is not the processing of personal data, but the maintenance of a device.
  • Confidential holders such as auditors or tax consultants are also not required to conclude a GCP. These professional groups are bound to secrecy by profession and therefore do not need an DPA.

In contrast, an advertising agency that sends out advertising flyers on behalf of a company and uses personal data such as postal or e-mail addresses, for example, must conclude a GDPR because the agency receives the address data from the client and must process it.

Other examples of a necessary DPA are:

  • Outsourcing of email management
  • External data collection
  • External backups
  • Data carrier disposal
  • External call center

Of course, it is difficult to precisely define the need for an DPA, and the boundaries often overlap. One important indicator of the need for an DPA contract is the authority to give instructions. If the external service provider is not authorized to decide freely on the performance and nature of the service, there is a binding of instructions to the client, and this makes an DPA contract mandatory.

Consulting services on the DPA contract? heyData is your reputable partner!

Regarding the administration of an DPA contract, heyData keeps track of everything. We provide you with legally compliant contract templates and are happy to advise you!

We support you as a client in the following points:

  • Provision of a legally compliant order processing contract
  • Advice on possible risks with the individual service providers
  • Monitoring of compliance with data protection obligations by the contractors

We support contractors in the following points:

  • Advice on the correct structuring of cooperation with clients in accordance with data protection law
  • Drafting of a legally secure order processing contract
  • Instructions on the correct implementation of the obligations arising from the GCU

heyData brings light into the darkness - The contents of the DPA contract

Drawing up an DPA contract (DPA DSGVO) causes difficulties for many companies, as there are many details to consider. heyData is your competent partner when it comes to the correct and data protection-compliant drafting of your DPA contract.

The following points have to be considered for an DPA contract:

1. Clarity of the contracting parties

The GC must name the client and the contractor (data processing party).

The object of the contract and the purpose of the processing of personal data must be defined here. The groups of persons concerned must also be named. To save space, this information can also be listed in an attachment.

2. Obligation of the client.

The principal has the constant responsibility for the processing of personal data and must protect the rights of the data subjects. He appoints persons authorized to give instructions. Irregularities or processing errors shall be written down.

3. Contractor obligations.

The contractor may only process data defined in the service agreement. In the event of a legal violation, the client must be informed immediately. The obligations of the contractor represent the core of an DPA, since data is handled in this processing area.

4. The Data Protection Officer.

If there is an external or internal data protection officer, this information will be included. Consultation with a data protection officer is recommended - heyData will be happy to advise you on this topic.

5. Reporting obligations of the contractor.

The contractor must guarantee compliance with data protection. In case of violations of the GDPR or other contractual obligations, the client must be notified immediately.

6. Cooperation of the Contractor.

The Contractor shall be obliged to support the Client in all areas relating to the processing of data. This shall include the handling of requests relating to the exercise of data subject rights and the preparation of processing lists.

7. Data protection control

The Client is legally authorized to check compliance with the GDPR at any time. An inspection at the Contractor's business premises shall be made possible.

8. Definition of a subcontracting relationship.

If the contractor is contractually permitted to employ a subcontractor, this must be written down in detail.

9. Confidentiality

Deut Contractor and its employees are obliged to maintain confidentiality when personal data is processed. The client's confidentiality rules must be observed.

10. Rights of data subjects.

According to Art. 12-23 GDPR, the client is obliged to process requests from data subjects. The Contractor is placed under the obligation to support the Client in this regard.

11. Disclosure of measures

The contractor is obliged to disclose all technical and organizational measures.

12. Duration of Cooperation

The start and termination of the contractual relationship is defined. Termination modalities are recorded.

13. Termination of the cooperation

Documents, data and all further results are to be handed over to the client or also deleted.

14. Closing clause

Defined final provisions are recorded.


In conclusion, a Data Processing Agreement (DPA) is an important measure to ensure data protection when processing personal data. You should be aware that the transfer of data to third parties and its processing can involve significant legal and financial risks if adequate safeguards are not in place.

An DPA regulates your rights and obligations as well as those of the contractor, thus creating transparency and legal certainty. It specifies how the data will be processed, what security measures must be taken, and how to deal with data breaches.

It is important that you carefully consider the need for an DPA and make sure that you work with trustworthy and reliable contractors. A reputable partner like heyData can assist you in creating and implementing an DPA and ensure that all legal requirements are met.

Protecting personal data is crucial in today's digital world. You need to make sure that you respect your customers' privacy and take all necessary measures to protect their data. A well-structured and comprehensive DPA is an important step in this direction.

If you have any questions about data protection and order processing contracts, heyData is happy to help. Trust our expertise and let's work together to make sure your data is safe and secure.

Do you have questions about data protection and DPAs? - heyData will be happy to advise you - Contact us!

About the Author

More articles

Personenbezogene Daten

Personal data and GDPR

What is personal data and how do you deal with it in a data protection compliant manner?

Learn more
Insurancy and heyData: Data Protection and Insurance

Data protection and insurance - Who pays when?

Data protection is an indispensable part of the business activities of companies and self-employed persons. Compliance with the GDPR is mandatory for all who process personal data. However, despite careful measures and precautions, data protection breaches can occur. In such cases, there is a threat of severe fines that can threaten the existence of companies.

Learn more
Die Rechtslage von ChatGPT

The legal status of ChatGPT

In the meantime, there are about AI tools and many different ways for companies to use artificial intelligence and integrate it into their everyday business. One of these technologies is ChatGPT, a conversational platform that can be used primarily for customer service and marketing.

Learn more

Get to know our team today, with no obligations!

Contact us