Data Processing Agreement: What It Is and When Needed

Table of Contents

Who should read this?

Startups, SaaS companies, and businesses subject to GDPR using third-party tools like payroll platforms, CRM, email marketing, HR software, or cloud hosting that handle personal data.

They'll gain clarity on identifying processors vs controllers, ensuring compliant DPAs, reviewing sub-processors and transfers, and simple steps to map and fix gaps for full compliance.

Key Takeaways

A DPA is legally required under GDPR Article 28 when using any supplier as a processor for personal data.
Controllers decide purposes; processors follow instructions, distinction allocates responsibility.
DPAs must detail processing scope and enforce security, confidentiality, sub-processor consent, audits, data return.
Check supplier standard DPAs for compliance, sub-processors lists, and EEA transfer safeguards like SCCs.
Lack of DPAs exposes to fines and due diligence hurdles; maintain a processor register.

What Is a Data Processing Agreement (DPA)?

A data processing agreement is a contract between you and a supplier that sets out how they are permitted to handle personal data you share with them.
It exists because GDPR places obligations not just on companies that collect data, but on every party in the chain that handles it.
When you hand personal data to a supplier, your employees' payroll information, your customers' email addresses, your users' account details, that supplier becomes legally bound by how they use it.
The DPA is the document that makes those obligations enforceable.

What's the Difference Between a Controller and a Processor?

This distinction is the foundation of how GDPR allocates responsibility. You are the controller if you decide why personal data is collected and what it's used for.
Your supplier is the processor if they handle that data solely on your instructions, without deciding what to do with it themselves.
Here's a practical example.
You run a SaaS company with 50 employees. You use a payroll platform to process salaries. You decide which employees are paid, how much, and when. The payroll platform processes that data according to your instructions. You are the controller. The payroll platform is the processor. A DPA is required.
The distinction matters because controllers carry the primary legal responsibility under GDPR. Processors have their own obligations, but if something goes wrong, regulators will look first at the controller which is you.
It is important to be aware that some suppliers are not processors at all. If a supplier collects personal data independently and decides how to use it for their own purposes, they are a controller in their own right. In that case you need to understand their

When Is a DPA Legally Required?

A DPA is required under Article 28 of the GDPR any time a controller uses a processor. In practice, that means almost every third-party tool a startup uses.
Common examples include:

Payroll platforms — processing employee names, salaries, bank details, tax information
CRM software — storing customer and prospect contact data
Email marketing platforms — holding subscriber lists and engagement data
Cloud hosting providers — storing any personal data that lives in your infrastructure
HR software — employee records, performance data, leave management
Customer support tools — tickets containing customer personal information
Accounting software — client and supplier financial data
Video conferencing tools — names, email addresses, meeting recordings

If a supplier touches personal data and processes it on your behalf, a DPA is required. There is no minimum threshold of data volume that triggers the requirement.

What Must a DPA Contain?

The subject matter and duration of the processing
The nature and purpose of the processing
The type of personal data involved and the categories of data subjects
The obligations and rights of the controller

Beyond that framing, the DPA must require the processor to:

Only process data on documented instructions from the controller
Ensure that anyone with access to the data is bound by confidentiality obligations
Implement appropriate technical and organisational security measures
Not engage sub-processors without the controller's prior consent
Assist the controller in responding to data subject requests (access, erasure, correction)
Assist with breach notifications and security obligations
Delete or return all personal data at the end of the contract
Provide the controller with all information necessary to demonstrate compliance, including allowing audits

If any of these elements are missing, the agreement does not satisfy the Article 28 requirement, even if both parties signed it.

How to Handle Suppliers Who Provide Their Own Standard DPA

Most large suppliers - Google, Salesforce, Mailchimp, HubSpot, AWS - have standard DPAs that you agree to as part of their terms of service, often by ticking a box or accepting updated terms. This is common and generally acceptable, but there are things worth checking which are outlined below.

Does their DPA actually cover Article 28?

Large, well-resourced suppliers usually have compliant DPAs drafted by experienced privacy counsel. Smaller or newer suppliers may not. Check that the mandatory elements are all present.

Who are their sub-processors?

Most suppliers use sub-processors, third parties they in turn share your data with. A compliant DPA will list these or link to a regularly updated register. Review it. If a sub-processor is in a country outside the UK or EEA, additional transfer safeguards are required.

What happens to your data when you leave?

The DPA should specify that data is returned or deleted at the end of the relationship, on your request, within a defined timeframe. In our experience, vague commitments here are worth pushing back on and requesting additional information.

Can you actually audit them?

Article 28 requires processors to allow audits. In practice, large suppliers offer audit reports (SOC 2, ISO 27001) rather than letting customers conduct their own. This is generally accepted, but the right should be reflected in the DPA.
Ensure that you keep a record of where each supplier's DPA is located, whether it's a signed document, a URL in their terms, or a setting in your account. If the Data Protection Commission ever asks, you need to be able to produce it quickly.

What About Data Transfers Outside the EEA?

If your processor is based outside the European Economic Area, or uses sub-processors that are, additional safeguards are required under Chapter V of the GDPR.
The most common mechanism is Standard Contractual Clauses (SCCs), which are pre-approved contract terms issued by the European Commission that can be incorporated into or attached to your DPA.
Many large US-based suppliers handle this automatically in their standard terms. But for smaller or less established suppliers, this is worth checking explicitly.
Transferring personal data to a processor in a country without adequate protections, without SCCs or another valid mechanism in place, is a separate GDPR violation on top of any DPA shortcoming.

What Happens If You Don't Have a DPA?

The absence of a DPA is itself a breach of Article 28, even if the underlying data is being handled appropriately.
The DPC has the power to fine organisations up to €10 million or 2% of global turnover for breaches of Article 28, though enforcement generally prioritises high-risk or systemic breaches.
In practice, the DPC tends to focus enforcement on larger organisations, but the legal exposure exists regardless of company size.
More practically, the absence of DPAs will come up in due diligence if you raise investment or go through an acquisition process. Investors and acquirers expect to see a

A Simple Starting Point

List every supplier that receives personal data from your business
Identify whether they are a processor (acting on your instructions) or a controller in their own right
Check whether a DPA is already in place, often buried in their terms of service
For any gaps, request a DPA or accept theirs if it covers the Article 28 requirements
Keep a central record of where each DPA is held

This doesn't need to be a large project. For most early-stage companies, the list of processors is short, and most major suppliers already have standard DPAs available.

About the Author:

Connect:

Laura Ryan is a practising Barrister at the Bar of Ireland. She graduated from the Honourable Society of King’s Inns in 2024, having previously qualified and practised as a Chartered Accountant in a big four accounting firm.

Governance

March 2026

What Is a Data Processing Agreement (DPA)?

Key Takeaways

Register of beneficial owners: Complete compliance guide for Irish companies

Board disagreements in Ireland: Essential guide to deadlocks and voting rights

Complete guide to share allotment in Irish companies

Managing director conflicts with family members in Irish companies

How to appoint a new director to UK companies

Related party transactions: Essential disclosure guide for Irish companies

Force a shareholder to sell: Irish company law guide

File your first annual return: Complete walkthrough

AGM requirements in Ireland: When you must hold one

Hostile takeover defence for Irish private companies: Essential guide

Frequently Asked Questions

What is a data processing agreement?

What is the difference between a controller and a processor?

When is a DPA legally required?

What must a DPA contain?

What happens if you don't have a DPA?

Explore our other topics

Buy a Business in Ireland through a New Company

Winding Up vs Striking Off: Complete Company Closure Guide

What is venture debt? A guide for Irish startups