← Back to Resources
DPAGDPRChecklist
Data Processing Agreement Checklist: What to Look For
A comprehensive checklist for reviewing and negotiating GDPR-compliant Data Processing Agreements with vendors and partners.
GlobalDataShield Team||7 min read
What Is a Data Processing Agreement?
A Data Processing Agreement (DPA) is a legally binding contract between a data controller and a data processor that governs how personal data is processed. GDPR Article 28 mandates that processing by a processor must be governed by a contract that sets out specific terms regarding data protection.
Without a compliant DPA in place, both the controller and the processor risk regulatory penalties -- even if the actual data processing is otherwise lawful and secure.
When Do You Need a DPA?
You need a DPA whenever you engage a third party to process personal data on your behalf. Common scenarios include:
- Cloud hosting providers storing personal data
- SaaS applications processing customer or employee data
- Outsourced IT support with access to personal data systems
- Payroll and HR service providers
- Marketing platforms handling customer contact information
- Analytics providers processing user behavior data
- Customer support platforms managing ticket data
The Complete DPA Checklist
1. Parties and Roles
- Clearly identifies which party is the controller and which is the processor
- If both parties act as controllers in some contexts, defines the scope of each role
- Names and contact details of both parties
- Contact details for the processor's Data Protection Officer (if applicable)
2. Subject Matter and Scope
- Describes the subject matter of the processing
- Specifies the duration of the processing
- Defines the nature and purpose of the processing
- Lists the types of personal data processed
- Lists the categories of data subjects
- States that processing is limited to the purposes described in the agreement
3. Controller Instructions
- Processor commits to processing personal data only on documented instructions from the controller
- Specifies how instructions are communicated (written, electronic, via platform configuration)
- Processor must inform the controller if an instruction infringes GDPR or other data protection law
- Defines what happens with processing that goes beyond the controller's instructions
4. Confidentiality
- Processor ensures that persons authorized to process the data have committed to confidentiality or are under a statutory obligation of confidentiality
- Specifies the scope of confidentiality obligations
- Confidentiality obligations survive the termination of the agreement
5. Security Measures
- Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk
- Specific security measures are described (not just vague references to "appropriate" security)
Key measures to verify are included:
| Security Area | Expected Commitments |
|---|---|
| Encryption | At rest and in transit, with specified algorithms |
| Access control | Role-based access, principle of least privilege |
| Authentication | Multi-factor authentication for administrative access |
| Monitoring | Intrusion detection, audit logging |
| Vulnerability management | Regular patching, penetration testing |
| Physical security | Data center access controls |
| Employee security | Background checks, security training |
| Incident response | Documented procedures and contact points |
6. Sub-Processors
- Processor must obtain prior written consent (general or specific) before engaging sub-processors
- If general authorization, processor must inform controller of any intended changes and allow objections
- Processor imposes the same data protection obligations on sub-processors as contained in the DPA
- Processor remains fully liable for the performance of sub-processors
- A current list of sub-processors is provided or made available
- Sub-processor locations are disclosed
7. Data Subject Rights
- Processor assists the controller in fulfilling obligations to respond to data subject requests (access, rectification, erasure, portability, restriction, objection)
- Specifies the nature of the assistance (technical measures, timelines, process)
- Defines the timeline for the processor to respond to controller requests for assistance
8. Breach Notification
- Processor notifies controller of personal data breaches without undue delay
- Specifies the notification timeline (ideally within 24-48 hours; GDPR requires "without undue delay")
- Notification includes required information: nature of breach, categories and approximate number of data subjects, likely consequences, and measures taken
- Processor assists the controller in fulfilling its own breach notification obligations
9. Data Protection Impact Assessments
- Processor assists the controller in conducting DPIAs where required
- Processor provides information necessary for the assessment
- Processor assists with prior consultation with supervisory authorities if needed
10. Data Transfers
- Specifies where personal data will be processed geographically
- If data is transferred outside the EU/EEA, identifies the transfer mechanism (SCCs, adequacy decision, BCRs)
- Transfer Impact Assessments are referenced or incorporated
- Supplementary measures for international transfers are documented
11. Audit Rights
- Controller has the right to conduct audits or inspections of the processor's operations
- Specifies the format of audits (on-site inspection, questionnaire, third-party audit report)
- Defines the frequency and notice period for audits
- Processor makes available all information necessary to demonstrate compliance with Article 28
12. Data Return and Deletion
- At the end of the processing relationship, processor returns all personal data to the controller and/or deletes it
- Controller can choose between data return and deletion
- Specifies the format for data return
- Specifies the timeline for deletion after contract termination
- Processor certifies deletion upon completion
- Addresses what happens to data in backups after contract termination
13. Liability and Indemnification
- Allocation of liability between controller and processor is clearly defined
- Indemnification provisions cover data protection breaches
- Limitation of liability clauses do not undermine the processor's data protection obligations
- Insurance requirements, if any, are specified
14. Term and Termination
- Duration of the DPA is defined (typically aligned with the main service agreement)
- Conditions for termination are specified
- Provisions for data return and deletion upon termination are cross-referenced
- Obligations that survive termination are identified (confidentiality, deletion certification)
Negotiation Tips
Areas Where You Should Push
- Specific breach notification timelines: "Without undue delay" is vague. Negotiate a specific window (24 or 48 hours).
- Audit rights: Insist on meaningful audit rights, even if exercised through third-party audit reports.
- Sub-processor transparency: Require proactive notification of sub-processor changes with a reasonable objection period.
- Data deletion certification: Get a written commitment to certify deletion, including from backups, within a defined timeline.
- Data residency guarantees: Ensure the DPA explicitly states where data will be processed and stored, including by sub-processors.
Areas Where Flexibility Is Reasonable
- Audit frequency: Accepting annual third-party audit reports (SOC 2 Type II) in lieu of on-site audits is standard practice.
- General sub-processor authorization: Acceptable if combined with proactive notification and objection rights.
- Backup deletion timelines: Reasonable to allow backup rotation cycles (30-90 days) for deletion from backups.
Common DPA Deficiencies
- No specific security measures described (just references to "industry standard" or "appropriate" measures)
- No sub-processor list or mechanism for updates
- Breach notification timelines that are too vague or too long
- No data residency commitments
- No practical audit rights
- No clear data deletion obligations at contract end
- Liability caps that effectively eliminate the processor's accountability
How GlobalDataShield Handles DPA Requirements
GlobalDataShield provides a transparent, GDPR-aligned Data Processing Agreement that addresses each of the requirements outlined in this checklist. With explicit data residency guarantees, documented security measures, clear sub-processor disclosures, and meaningful audit provisions, the DPA is designed to give controllers confidence that their compliance obligations are fully supported.
Ready to Solve Data Residency?
Get started with GlobalDataShield - compliant document hosting, ready when you are.