When you entrust the processing of personal data to a service provider, it is imperative that this relationship be supervised by a Data Processing Agreement (DPA). This contract, provided for by Article 28 of the GDPR, formalizes the obligations of each party and constitutes an essential document to prove compliance in the event of an audit or control.
What is a DPA?
The DPA, or data processing agreementis a contract between:
- THE data controller : the entity that decides on the use of the data (e.g. an e-commerce company),
- THE subcontractor : the service provider who processes the data on behalf of the company (e.g. a host, a payment tool, a CRM).
Without DPA, any processing outsourcing is illegal with regard to the GDPR.
Mandatory content
The GDPR imposes minimum content, which must be detailed in the contract:
- Purpose and duration of treatment.
- Type of data and data subjects (e.g. customers, employees, prospects).
- Nature and purpose processing (e.g. storage, analysis, HR management).
- Obligations of the subcontractor :
- act only on instructions from the person responsible,
- guarantee confidentiality and security,
- notify any data breach,
- assist in the exercise of people’s rights (access, erasure, portability),
- return or delete the data at the end of the contract,
- enable compliance audits.
Why is this crucial?
- Legal security : processing entrusted without DPA is not compliant with the GDPR.
- Proof of Compliance : in the event of a CNIL inspection, the DPA is a central part of the file.
- Distribution of responsibilities : it clarifies roles and prevents the company from bearing the burden alone in the event of an incident.
Practical sheet: how to manage a DPA
| Stage | Action | Best practices |
|---|---|---|
| 1. Identify | List all service providers accessing personal data. | Use existing SSO, OAuth logs and contracts. |
| 2. Check | Check if a DPA is already signed. | Major providers (AWS, Google, Microsoft, Stripe) publish a standard DPA. |
| 3. Negotiate | Require inclusion of minimum GDPR clauses. | Add specific guarantees (place of accommodation, transfer outside the EU, subcontractors). |
| 4. Archive | Centralize all DPAs in a registry. | Use a compliance management tool (OneTrust, TrustArc, internal). |
| 5. Control | Carry out regular audits of service providers. | Check technical security (ISO 27001, SecNumCloud, SOC 2). |
Sign (or activate) standard DPAs from major suppliers
Most major players offer Pre-written DPAs GDPR compliant.
Here’s where to find them and how to activate them:
| Supplier | Where to find the DPA | Special feature |
|---|---|---|
| Google Cloud Data Processing Terms / Google Workspace DPA | Automatically applies when you accept the terms of service | |
| HubSpot | HubSpot Data Processing Agreement | Included by default for European customers |
| Meta Ads | Data Processing Terms | Requires explicit validation in Business Manager |
| Microsoft | Products and Services DPA | Applicable automatically |
| AWS | AWS GDPR DPA | Integrated with AWS Terms of Service |
Check transfers outside the EU
It is the sensitive pointespecially with American tools.
To do:
- Check if the supplier is Data Privacy Framework (DPF) certified, the new EU-US legal basis (replacing the Privacy Shield).
- Check the list of secondary subcontractors
- If the transfer is not not covered by the DPFrequire or verify the presence of standard contractual clauses (SCC).
Integrate the DPA into your GDPR register
In your treatment registeradd:
- THE supplier name,
- THE type of data processed,
- THE link to the DPA,
- there legal basis for transfer (DPF or SCC),
- there shelf life,
- THE security measures (encryption, authentication, etc.).
This constitutes your documentary proof of conformityrequired by the GDPR.
Monitor contractual changes
Major suppliers regularly update their DPAs.
Subscribe to their legal pages or compliance newsletters.
For example :
- Google notifies via the Workspace admin console,
- HubSpot by email to the main administrator.
Important : if the supplier adds new subcontractors or changes the hosting location, you must be notified And have the opportunity to object.
Set up an internal DPA model for your own subcontractors
If you, in turn, process data for clients (e.g. agency, firm, SaaS startup), you must:
- write your own DPA model,
- have it signed by your subcontractors,
- and offer it to your customers.
Use the template from CNIL or that of theEDPB (European Data Protection Board) as a basis, adapted to your activity.
Example of a practical checklist
| Stage | Verification | Status |
|---|---|---|
| 1. Mapping of providers | All tools listed (HubSpot, Google, etc.) | ✅ |
| 2. Downloading the DPA | PDF copy saved in the compliance file | ✅ |
| 3. Verification of transfers | DPF or SCC in place | ✅ |
| 4. Registration in the GDPR register | Link to DPA added | ✅ |
| 5. Tracking Updates | Alerts or active legal subscriptions | ✅ |
To remember
- A DPA is not optional : it is documentary proof of your compliance.
- With Google and HubSpot, the DPA applies automatically but must be archived and verified.
- The main risk remains data transfer outside the EU and the cascade subcontracting.
- Finally, it is necessary manage DPAs like living contractsnot as simple annexes.
Risks in the absence of DPA
- GDPR fines : up to €20 million or 4% of global turnover.
- Civil liability : customers can initiate actions for repair.
- Loss of confidence : a flaw not legally covered weakens the customer relationship.
