With whom do I need a processing agreement?

With every external party that processes personal data on your behalf. Common examples: your accountant, email marketing tool (Mailchimp, ActiveCampaign), cloud storage (Google Workspace, Microsoft 365), payroll provider, website host, and CRM system.

What if my processor already has a standard DPA?

Many large parties like Google, Microsoft, and Mailchimp offer standard processing agreements that you can accept online. Check that their DPA meets GDPR requirements and save a copy.

Can I use the same processing agreement for all my processors?

The basic structure is the same, but you must fill in the specific details per processor: which data is processed, for what purpose, and what security measures apply.

What if my processor refuses to sign a DPA?

Then you may not engage that party for processing personal data. Find an alternative processor who is willing to sign a processing agreement.

Data Processing Agreement Template - Free GDPR DPA Template

A data processing agreement is mandatory with every party that processes personal data on your behalf. Use this template as a basis, customise it for your situation, and sign it with your processors.

When do you need a processing agreement?

As soon as you have personal data processed by an external party, you are required to enter into a data processing agreement (also called DPA - Data Processing Agreement). This is not optional - it is a legal requirement under Article 28 of the GDPR.

Many business owners think this only applies to large companies or complex IT systems. But if you have an accountant who has access to your customer data, or if you use Mailchimp for your newsletter, you already need a processing agreement.

Common processors for SMEs

Accountant - has access to customer and employee data
Email marketing (Mailchimp, ActiveCampaign, Sendinblue) - stores email addresses and behavioural data
Cloud storage (Google Workspace, Microsoft 365, Dropbox) - stores files that may contain personal data
Website host (various providers, Cloudflare) - processes IP addresses and sometimes form data
CRM system (HubSpot, Salesforce, Teamleader) - contains customer data
Payroll provider - processes employee data
Booking platform (Booking.com, own booking system) - customer and payment data

The template

The template below covers the minimum requirements of Article 28 GDPR. Customise it with your own business details and the specific processing details.

Data Processing Agreement - basic template

DATA PROCESSING AGREEMENT

Between:
[Organisation name], established at [address], hereinafter "Controller"

And:
[Processor name], established at [address], hereinafter "Processor"

1. SUBJECT AND DURATION
This agreement governs the processing of personal data by the Processor on behalf of the Controller. The agreement takes effect on [date] and applies for the duration of the collaboration.

2. NATURE AND PURPOSE OF PROCESSING
The Processor processes personal data exclusively for the purpose of: [describe the purpose, e.g. "maintaining the accounts", "sending newsletters", "hosting the website"].

3. TYPE OF PERSONAL DATA
The following categories of personal data are processed: [e.g. name, email address, address, phone number, payment data].

4. CATEGORIES OF DATA SUBJECTS
The personal data concerns the following categories of persons: [e.g. customers, employees, website visitors, suppliers].

5. OBLIGATIONS OF THE PROCESSOR
The Processor shall:
a) Process personal data only on the basis of written instructions from the Controller
b) Ensure that persons authorised to process personal data are bound by confidentiality
c) Take appropriate technical and organisational measures to ensure the security of processing
d) Not engage another processor (sub-processor) without prior written consent of the Controller
e) Assist in fulfilling data subject requests (access, rectification, erasure)
f) Inform the Controller without delay (within 24 hours) of a data breach
g) Delete or return all personal data after the end of the service, unless storage is legally required
h) Make available all information necessary to demonstrate compliance and cooperate with audits

6. SUB-PROCESSORS
The Processor uses the following sub-processors: [list of sub-processors with name, location, and purpose]. Changes in sub-processors shall be reported in advance in writing to the Controller.

7. TRANSFERS OUTSIDE THE EEA
[If applicable:] The Processor transfers personal data to parties outside the European Economic Area. Appropriate safeguards are in place in accordance with [Standard Contractual Clauses / adequacy decision / other mechanism].
[If not applicable:] The Processor processes all personal data exclusively within the European Economic Area.

8. SECURITY MEASURES
The Processor shall take at minimum the following security measures:
- Encryption of data during storage and transport
- Access control and authentication (2FA)
- Regular backups
- Logging of access to personal data
- [Add specific measures]

9. DURATION AND TERMINATION
This agreement applies for the duration of the underlying service. Upon termination, the Processor shall delete all personal data within [number] days, unless legal retention obligations require otherwise.

Signed at [place] on [date]:

Controller: ________________________
Name:
Position:

Processor: ________________________
Name:
Position:

How to use this template

Fill in your own details and those of the processor
Be specific about the purpose, type of data, and categories of data subjects - “data processing” is too vague
Inventory sub-processors - ask your processor which third parties they engage
Check transfers - does your processor process data outside the EU? Then additional safeguards are needed
Have both parties sign and keep a copy

Processors that already have a standard DPA

Many large platforms offer their own processing agreement. You don’t need to use this template then, but check that their DPA covers the GDPR requirements:

Google Workspace - DPA available via Admin Console
Microsoft 365 - DPA part of service terms
Mailchimp - DPA available on their website
HubSpot - DPA available via account settings
Stripe - DPA part of service terms
AWS / Azure / Google Cloud - DPAs available per service

Always save a copy of the signed or accepted DPA.

Common mistakes

Not having a DPA with your accountant or payroll provider - these are processors
Using a generic template without customising it for the specific processing
Forgetting sub-processors - if your processor uses Zendesk for support, Zendesk is a sub-processor
Forgetting transfers outside the EU - many cloud services process data in the US
Not updating the DPA when the processing changes

auto_awesome Do you know which processors you work with?

GDPRWise scans your website and automatically detects which third parties have access to the personal data you process. So you know with whom you need a processing agreement.

Start your free scan

Template: Data Processing Agreement (DPA)