Data Processing Agreements
What a data processing agreement under Article 28 GDPR must contain, how liability is allocated between controller and processor, and what requirements apply to sub-processors.
When a controller engages another party — such as a cloud provider, a payroll service, or an email marketing platform — to process personal data on its behalf, the arrangement constitutes processing by a processor within the meaning of Article 28 GDPR. The processor handles the data solely on the documented instructions of the controller.
Data Processing Agreement
The fundamental requirement is the conclusion of a data processing agreement (DPA). Article 28(3) GDPR sets out the mandatory contents of such an agreement: the subject matter, duration, nature and purpose of the processing, the type of personal data, the categories of data subjects, and the obligations and rights of the controller. Without a valid DPA, the transfer of data to the processor is unlawful.
The agreement must impose specific obligations on the processor: it may process data only on documented instructions from the controller; it must implement appropriate technical and organisational measures (TOMs) to ensure data security; it must ensure that all persons authorised to process the data are bound by confidentiality obligations; and it must make available all information necessary to demonstrate compliance with the GDPR.
Audit Rights and Oversight
Audit rights are an important element: under Article 28(3)(h) GDPR, the controller has the right to conduct inspections or to have them conducted by an auditor. In practice, audits are frequently replaced by the provision of recognised certifications (e.g. ISO 27001) or third-party assurance reports.
Regarding sub-processors: the processor may engage a further service provider only with the prior specific or general written authorisation of the controller (Article 28(2) GDPR). Where it sub-contracts processing, the processor remains fully liable to the controller for the sub-processor's compliance with data protection obligations.
Joint Controllership Distinguished
Data processing arrangements must be distinguished from joint controllership under Article 26 GDPR. Where two or more parties jointly determine the purposes and means of processing, they are joint controllers. A separate arrangement is required to set out their respective responsibilities. The distinction is frequently complex in practice, as the CJEU has emphasised in its case law (e.g. Fashion ID, Wirtschaftsakademie).