What is a GDPR Data Processing Agreement?

A Data Processing Agreement (DPA) is a legally-binding contract between a data controller (the organisation that determines why and how personal data is processed) and a data processor (a third party that processes data on the controller's behalf). Under GDPR Article 28, this agreement is mandatory whenever you engage a processor to handle personal data.

Common examples where a DPA is required include: using a cloud software provider that stores customer data, engaging a marketing agency to process email lists, using a document automation platform that processes personal information submitted by your clients, or using a payroll provider that processes employee data.

What a GDPR DPA must contain

Article 28(3) of GDPR specifies the minimum content of a valid DPA. A compliant DPA must include:

• The subject matter, duration, nature, and purpose of the processing
• The types of personal data being processed and categories of data subjects
• Obligations and rights of the controller
• Processor obligations — process data only on controller instructions, maintain confidentiality, implement appropriate security measures
• Sub-processor restrictions — the processor must obtain prior authorisation for sub-processors and impose equivalent obligations on them
• Data subject rights assistance — the processor must help the controller respond to data subject requests
• Security and breach notification obligations
• Deletion or return of data at the end of the agreement

Who needs a DPA?

Any EU or UK-based organisation (or organisation processing EU/UK residents' data) that shares personal data with a third-party service provider needs a DPA with that provider. This includes virtually every SaaS tool your organisation uses that has access to personal data — from your CRM to your email platform to your document management tool.

Note: Docuplete's DPA is available to all paid subscribers. If you use Docuplete to collect personal data from your clients, Docuplete acts as a data processor and the DPA establishes the required contractual framework. Contact hello@docuplete.com to request the DPA.

Collecting DPAs from your own clients and suppliers

If you are a data processor yourself — for example, a software provider, agency, or managed services firm — you need to collect signed DPAs from your clients before processing their data. If you have many clients or renew DPAs regularly after policy updates, this can become a significant administrative task.

Docuplete can automate this. Upload your DPA PDF template, map the client fields, and send each client a unique link to review and sign. The signed DPA is delivered as a timestamped PDF with an RFC 3161 qualified timestamp — providing evidence of exactly when the agreement was executed and which version was signed.

DPA vs consent under GDPR

A DPA is a controller-to-processor agreement — it is not the same as consent. Consent is collected from data subjects (the individuals whose data you process). A DPA is agreed between businesses in the supply chain. Both may be required: a DPA with your service providers, and a privacy policy acknowledgment or consent form with your end users.