What is a data processing agreement and do I need one?

A data processing agreement (DPA) is a mandatory contract between you and every party that processes personal data on your behalf. Think of your accountant, your CRM provider, or your email tool. GDPRWise generates these agreements automatically.

How do I know which parties process personal data?

GDPRWise helps you find out. The website scan automatically detects external tools and scripts. The platform also asks targeted questions about your business operations, so parties like your accountant, occupational health service, or cloud storage provider are included.

What if a third party refuses to sign a processing agreement?

Most major software vendors already have a standard DPA available. Smaller parties may be less familiar with the requirement. GDPRWise generates a professional agreement you can share, making it easy for both sides.

Managing Your Third-Party Dossier in GDPRWise | DPAs

Most of the time you are just using a service, but the sharing of personal data is a side effect. Your third-party dossier maps all external services where third parties are involved in personal data processing.

Ask yourself: how many external parties have access to personal data from your customers, employees, or website visitors? Most business owners guess three or four. In reality, the average SME shares data with 10 to 30 parties.

Your accountant sees customer details. Your email tool processes email addresses. Your CRM stores contact history. Your website sends data to Google Analytics. Your hosting provider has access to server logs. And that’s before considering your occupational health service, insurer, or invoicing tool.

Under the GDPR, you are responsible for what all those parties do with the data. That starts with knowing who they are.

The scan gets you started

The GDPRWise scan automatically discovers third parties that have an integration with your website. CRM tools, social media integrations, form providers, advertising platforms, analytics services, chat widgets - if they connect to your site, the scan picks them up and adds them to your third-party dossier.

This gives you a solid starting point. But not all third parties are connected to your website. Your accountant, insurer, or occupational health service won’t show up in a website scan. To help you find those, think in four categories and check each one for completeness.

Four categories to check for completeness

1. Professional service providers

Parties you hire for specific tasks that involve personal data:

Accountant - sees financial records, payslips, VAT numbers
Lawyer or legal adviser - receives case files in disputes
Occupational health service - processes employee health data
Insurer - receives personnel and business data

2. Online tools and software

The digital tools you use daily that store or process data:

CRM system - customer data, contact history, notes
Email tool - email addresses, open and click behaviour, lists
Accounting software - invoice data, customer and supplier details
Project management - task descriptions, team communication
Cloud storage - documents, files, backups

Platforms where you share data, often without realising it:

Facebook and Instagram - pixels, custom audiences, lead forms
LinkedIn - company page analytics, ad targeting
Google Ads - conversion tracking, remarketing, keyword data
TikTok and YouTube - pixels, analytics, ad campaigns

4. Hosting and infrastructure

The technical foundation your business runs on:

Web hosting provider - server logs, IP addresses, email traffic
IT administrator - access to systems and data

GDPRWise generates your processing agreements

For every third party that processes personal data on your behalf, you need a data processing agreement (DPA). This is a legal requirement. GDPRWise makes it simple: the platform automatically generates a professional DPA you can send directly to the party in question.

Each generated agreement covers all mandatory elements:

Which data is processed
The purpose of the processing
The security measures expected
What happens when the relationship ends

Many major software vendors already have their own DPA. GDPRWise also helps you request and register those in your dossier.

Build your dossier step by step

You don’t need to map all third parties at once. Work category by category:

Start with your online tools - check your email tool, CRM, and accounting software to note which parties they are
Add your professional service providers - accountant, lawyer, occupational health service
Check your website - GDPRWise automatically detects many external scripts and tools
Don’t forget hosting - your web host and IT administrator almost always process data

For each party, record which data they process, why, and whether you already have a DPA. GDPRWise tracks which agreements are still missing and sends you reminders.

It’s not complicated and it doesn’t have to be done all at once. The most important thing is to start.

auto_awesome Map your third parties

GDPRWise helps you identify every external party that has access to your personal data, including automatically generated processing agreements.

Discover which third parties process your data

Your Third-Party Dossier: When External Services Process Personal Data

You share more data than you think