Data Processing & DPA
As soon as a service provider processes personal data on your behalf – cloud, newsletter tool, payroll – Art. 28 GDPR requires a Data Processing Agreement (DPA). SimpleAct manages all DPAs, evidence and sub-processors centrally.
What is a DPA?
A Data Processing Agreement (DPA) governs the processing of personal data by a service provider (processor) on behalf of and under the instructions of the controller. It is mandatory under Art. 28 GDPR as soon as an external provider has access to personal data. Without a valid DPA, sharing data with the provider is unlawful – no matter how secure the provider is.
Mandatory contents of a DPA
Manage DPAs compliantly
- Identify all providers with data access
- Conclude a DPA under Art. 28 with each provider
- Record and authorise sub-processors
- Obtain the processor’s evidence of security measures
- Check third-country transfers in the DPA (SCC needed?)
- Link DPAs to the records of processing
- Version contracts and keep deadlines in view
Frequently asked questions about data processing
When do I need a DPA?
Whenever an external provider processes personal data on your behalf – e.g. hosting, email marketing, CRM, accounting or support tools.
Is a DPA the same as sharing data with third parties?
No. In processing, the provider acts on your instructions. Transferring data to an independent controller follows different rules and needs its own legal basis.
Who is liable for a breach by the provider?
The controller generally remains responsible. The processor is jointly liable if it breaches specific obligations or the instructions.
Is the provider’s standard DPA enough?
Often yes – but it must cover all mandatory contents of Art. 28 and match your actual usage. Check sub-processors and third-country transfers in particular.
Data processing with SimpleAct
Manage DPAs, sub-processors and security evidence centrally – linked to the records of processing and audit-ready at any time.
Start for free