When do I need a processing agreement?

As soon as you have personal data processed by an external party, for example your accountant, email marketing tool or cloud storage service.

What is the difference between a controller and a processor?

The controller determines the purpose and means of processing. The processor processes data solely on behalf of the controller.

What Is a Processing Agreement?

A processing agreement is mandatory when you have personal data processed by an external party. Learn what it must contain and download our free template.

What is a processing agreement?

A processing agreement (also known as a Data Processing Agreement or DPA) is a contract required under the GDPR when an organisation has personal data processed by another party. This contract governs the responsibilities and obligations of both parties.

When do you need a processing agreement?

You need a processing agreement when you share personal data with an external party that processes this data on your behalf. Examples include:

Your accountant who has access to employee data
An email marketing tool such as Mailchimp or ActiveCampaign
Your cloud storage service (Google Workspace, Microsoft 365)
An external payroll processor

What must it contain?

The GDPR (Article 28) requires a processing agreement to cover at least the following topics:

The subject and duration of the processing
The nature and purpose of the processing
The type of personal data and categories of data subjects
Security measures
Engagement of sub-processors
Assistance with data subject requests
Data breach notification obligations
Deletion or return of data upon termination

What if you don’t have a processing agreement?

Without a processing agreement, you are in breach of the GDPR. The supervisory authority can impose fines of up to 10 million euros or 2% of your annual turnover, whichever is higher.