GDPR Data Processing Agreements (DPAs) are legally binding contracts required under GDPR Article 28 between data controllers and data processors that define the scope, nature, and purpose of data processing, along with the obligations and rights of each party. DPAs ensure that processors handle personal data only on documented instructions from controllers and implement appropriate security measures.
A GDPR-compliant DPA must include specific mandatory provisions: the subject matter and duration of processing, the nature and purpose of processing, the types of personal data and categories of data subjects, the controller's obligations and rights, documented processing instructions, confidentiality commitments, security measures per Article 32, sub-processor management including prior authorization and flow-down obligations, assistance with data subject rights and breach notification, data return or deletion upon contract termination, audit rights, and evidence of compliance. DPAs must be in writing (including electronic form) and are typically annexed to the main service agreement. Organizations acting as both controller and processor for different data sets may require bidirectional DPAs. Sub-processor chains require the primary processor to impose equivalent DPA obligations on all sub-processors, creating contractual cascades that extend GDPR protections through entire supply chains.
Processing personal data without a valid DPA is itself a GDPR violation carrying fines up to 10 million euros or 2% of global revenue. DPAs are the contractual mechanism through which controllers extend their GDPR obligations to every third party that touches personal data. Without DPAs, organizations have no contractual basis to require processors to implement security measures, report breaches, or assist with data subject requests. The complexity of modern SaaS supply chains means organizations may need hundreds of DPAs, each requiring review and management.
CDA addresses DPA management within the Data Protection and Sovereignty domain as a C-BUILD deliverable. Our missions provide DPA templates aligned with EDPB guidance, establish processor inventory and DPA tracking systems, implement sub-processor monitoring workflows, and conduct DPA gap assessments to identify missing or non-compliant agreements.