GDPR & Vendor Contracts: A Checklist for Data Processing Agreements (DPAs)
%20GDPR%20Data%20Processing%20Agreement%20(DPA)%20Checklist%20_%20Vendorfi.CUlP9Xqa_Z1unjJs.webp)
Table of Contents
If your business uses third-party vendors to handle any personal data related to individuals in Europe, the General Data Protection Regulation (GDPR) has a strict set of rules for your contracts. Simply signing a standard service agreement is not enough. You are legally required to have a specific, detailed contract in place known as a Data Processing Agreement (DPA). For the broader compliance context, see the vendor compliance guide.
Without a compliant DPA, your business could face significant fines and legal liability, even if a data breach is your vendor’s fault. This guide provides a straightforward checklist based on GDPR’s Article 28, helping you ensure your vendor contracts are secure, compliant, and built for a trusted partnership.
The Foundation: Controller vs. Processor and When You Need a DPA
Before diving into the checklist, it’s crucial to understand the roles you and your vendor play under GDPR. This relationship determines your legal obligations.
Understanding Your Role: The Data Controller
In most cases, your business is the Data Controller. This means you determine the “purposes and means” of processing personal data. In simple terms, you decide why personal data is being collected and what should be done with it. You hold the primary responsibility for protecting this data and respecting individuals’ rights.
Understanding Your Vendor’s Role: The Data Processor
Your vendor is typically the Data Processor. They process personal data on behalf of and under the instruction of the controller. They do not own the data or decide its purpose. Common examples of data processors include cloud storage providers (AWS), email marketing platforms (Mailchimp), CRM software (Salesforce), and payroll service providers.
The Legal Trigger: When is a DPA Mandatory?
A DPA is legally mandatory every time a data controller hires a data processor to handle personal data protected by GDPR. It doesn’t matter if the vendor is big or small, or where they are located. If they process data on your behalf, you must have a written DPA in place. This agreement acts as a legal safeguard, ensuring the processor understands and contractually agrees to its data protection responsibilities.
The GDPR Article 28 Checklist: 10 Essential Clauses for Your DPA
Article 28 of the GDPR explicitly lists the clauses that must be included in any DPA. Think of this as your non-negotiable checklist for vendor contracts.
| Clause | Purpose | Example/Note |
|---|---|---|
| 1. Subject matter, duration, nature, purpose | Define the processing activity | Scope of work and contract term |
| 2. Data types and data subjects | Limit what data can be processed | Names, emails, IPs; customers/employees |
| 3. Processing on documented instructions | Keep controller in charge | No processing beyond written orders |
| 4. Confidentiality obligations | Protect data access | Staff NDAs or confidentiality clauses |
| 5. Security measures | Enforce Article 32 safeguards | Encryption, access control, monitoring |
| 6. Sub-processor rules | Control third parties | Prior written consent required |
| 7. Data subject rights support | Enable DSAR responses | Timely access, correction, deletion |
| 8. Breach notification and DPIA support | Reduce incident impact | Notify without undue delay |
| 9. Return or deletion on termination | Prevent data retention risk | Delete or return at contract end |
| 10. Audit and inspection rights | Verify compliance | Provide evidence and allow audits |
Beyond the Checklist: International Data Transfers and Standard Contractual Clauses
If your vendor processes data outside of the European Economic Area (EEA) or the UK, a DPA alone may not be enough.
What Are Standard Contractual Clauses (SCCs)?
Standard Contractual Clauses (SCCs) are standardized legal templates provided by the European Commission. They are designed to ensure that personal data transferred to countries outside the EEA is protected with GDPR-equivalent safeguards.
When Do You Need SCCs in Addition to a DPA?
You need to incorporate SCCs into your contract if your vendor is located in a country that the EU does not consider to have “adequate” data protection laws (e.g., the United States). The SCCs are typically added as an appendix to the DPA and form a legally binding part of your agreement.
Streamlining DPA Management with VendorFi
Managing dozens of unique DPAs, tracking versions, and remembering review dates is a significant compliance challenge. Using spreadsheets for this critical task is risky. VendorFi provides a purpose-built solution.
A Central, Auditable Repository for All Signed DPAs
VendorFi gives you a secure, centralized vault to store every DPA and its associated SCCs. This ensures that you have a complete, organized record of your vendor compliance, ready for any internal review or regulatory audit.
Tracking DPA Versions and Vendor Compliance Status
When a vendor updates their DPA or new regulations emerge, you need to track these changes. VendorFi allows you to manage document versions and maintain a clear status of each vendor’s GDPR compliance, so you always know where you stand.
Building a Demonstrable Record of Your Due Diligence
In the event of a breach or audit, you must be able to prove you performed your due diligence. By managing your DPAs in VendorFi, you create a clear, time-stamped trail demonstrating that you took your responsibilities as a data controller seriously.
Conclusion: Turn Compliance Paperwork into a Business Asset
A well-drafted Data Processing Agreement is more than just a legal hurdle, it’s the foundation of a transparent and secure relationship with your vendor. By using this checklist to ensure your DPAs are comprehensive and compliant with GDPR Article 28, you can protect your business from risk, build trust with your customers, and turn a complex legal requirement into a genuine business asset.
Frequently Asked Questions (FAQ)
Can a DPA be part of the main service agreement?
Yes. The DPA’s clauses can be integrated directly into a Master Service Agreement (MSA) or Terms of Service. However, many companies prefer to keep it as a separate, linked document (an addendum) because it’s easier to update as data protection laws change.
What if a vendor refuses to sign our company’s DPA?
A vendor’s refusal to sign a compliant DPA is a major red flag. If they operate in the data processing space, they should be well-aware of their GDPR obligations. If they push back or offer a weak alternative, you should seriously reconsider working with them, as it indicates a lack of maturity in their privacy and security practices.
Who is responsible for drafting the DPA, the controller or the processor?
There is no strict rule, but typically the Data Controller (you) or the Data Processor (your vendor) will provide their standard DPA template for the other party to review. It is the controller’s ultimate responsibility to ensure that the final, signed agreement meets all of GDPR’s requirements.
What is the UK Addendum to the EU SCCs?
Following Brexit, the UK adopted its own version of GDPR. The UK Addendum is a short document that is attached to the EU’s Standard Contractual Clauses (SCCs). It legally extends the protections and obligations of the EU SCCs to cover data transfers from the United Kingdom.
About Calvin Choong
The collective voice of our product, engineering, and operations teams, sharing insights to help you build better vendor relationships.
Manage your entire vendor lifecycle, from procure to pay - for free.
See how Vendorfi's automated platform can help you manage risk and reduce spend across your entire vendor portfolio.