What Is a Data Processing Agreement? DPA under GDPR for Germany
What is a Data Processing Agreement (DPA)?
A DPA (Auftragsverarbeitungsvertrag/AVV) is a mandatory contract under Article 28 GDPR, required when a company engages an external provider to process personal data. It defines data scope, purpose, security measures, and processor obligations.
- A DPA is legally required under Article 28 GDPR for every controller-processor relationship involving personal data.
- The DPA must cover the subject matter, duration, nature, purpose, data categories, and all processor obligations.
- Processing personal data via an external provider without a valid DPA is unlawful — fines up to EUR 10 million or 2% of global turnover.
A data processing agreement (DPA) — known in Germany as Auftragsverarbeitungsvertrag (AVV) — is a legally binding written contract required by Article 28 GDPR whenever a company engages an external service provider to process personal data on its behalf. The DPA establishes what data may be processed, for what purpose, under which security conditions, and how the service provider must act on the company’s instructions. Without a valid DPA in place, any transfer of personal data to that provider is unlawful under GDPR — regardless of whether the provider is a cloud platform, an AI tool, or a traditional IT service.
What Is a Data Processing Agreement (DPA) under GDPR?
A DPA is the contractual cornerstone of every controller-processor relationship under GDPR. The company that determines why and how personal data is processed is the controller (Verantwortlicher in German). The external service provider that processes data on the controller’s behalf is the processor (Auftragsverarbeiter).
The key legal principle is instruction-bound processing: the processor may only act on documented instructions from the controller and must not use the data for its own purposes. This is what distinguishes a data processor from an independent data controller.
For German companies, this matters across the entire technology stack. Every SaaS tool, cloud platform, and AI service that touches personal data — customer names, email addresses, employee records, user behavior — requires a DPA before use. The DPA gives you contractual control over how that data is handled and ensures the provider is legally accountable.
When Is a DPA Legally Required in Germany?
A DPA is required whenever three conditions are met simultaneously:
- An external party (not an internal employee) processes personal data
- The processing is performed on behalf of and under instruction from your company
- The data concerns natural persons (customers, employees, users, applicants, etc.)
In practice, this covers nearly every business software tool in use today. Email marketing platforms, CRM systems, HR tools, cloud storage providers, and AI assistants all process personal data — and therefore require a DPA before deployment.
A DPA is not required when:
- Only genuinely anonymized or aggregated data is transferred, with no means to re-identify individuals
- The service provider processes data for its own independent purposes (this would constitute joint controllership under Article 26 GDPR or independent processing, not a processor relationship)
- Processing is carried out by internal employees acting within the scope of their employment
The boundary can be particularly complex with AI tools. If a provider uses your input data to train or improve its models, that may constitute independent processing rather than instruction-bound processing — in which case a DPA alone is insufficient, and a separate legal basis under Article 6 GDPR is required.
What Must a DPA Contain? (Article 28 GDPR Requirements)
Article 28(3) GDPR prescribes the mandatory content of every DPA. The contract must cover:
Processing subject matter:
- Subject matter of processing (e.g., storage of customer contact data, analysis of communication content)
- Duration of processing (contract term, deletion timelines after contract end)
- Nature and purpose of processing (specific activities and permitted use cases)
- Type of personal data (e.g., names, email addresses, payment data, IP addresses)
- Categories of data subjects (e.g., customers, employees, website visitors)
Processor obligations (Article 28(3)(a)–(h) GDPR):
- Confidentiality: Only authorized personnel subject to written confidentiality obligations may access the data
- Technical and organizational measures (TOMs): Security appropriate to the risk under Article 32 GDPR, including encryption, access controls, availability, and integrity
- Subprocessors: New sub-processors only with prior written consent from the controller; the main processor remains fully liable
- Data subject rights: Assistance with access, deletion, rectification, and portability requests
- Breach notification: Immediate notification of the controller in the event of a personal data breach
- Deletion or return: All data must be returned or securely deleted after contract termination
- Audit rights: The controller must be able to conduct audits, inspections, and reviews
A DPA missing any of these elements is incomplete and creates compliance risk — even if the vendor provides a standard template.
DPA and AI Tools: What German Companies Need to Check
Using AI software in a German business context raises specific questions beyond the standard DPA checklist.
Processing Purpose and Instruction-Bound Processing
The AI provider must not use your data to train its models without your explicit consent — and even with consent, that may cross the line from processing into independent use. Review the vendor terms carefully:
- Can the provider use input data or conversation history for model training?
- Is there an option to disable training on your data (typically available in enterprise tiers)?
- Is the processing purpose clearly limited to operating the service?
International Data Transfers (Standard Contractual Clauses)
Most AI providers are based in the United States or other third countries outside the European Economic Area (EEA). Transferring personal data to these providers requires an additional legal instrument. The standard mechanism is Standard Contractual Clauses (SCCs) under Article 46(2)(c) GDPR, which must be incorporated into or attached to the DPA.
Check whether:
- SCCs are included in the DPA or signed as a separate addendum
- The provider has conducted a Transfer Impact Assessment (TIA) evaluating the specific risks of the transfer
- The provider offers EU data residency options to minimize international transfers
Subprocessors and Sub-DPA Chains
Complex SaaS services typically rely on their own subprocessors for hosting, analytics, support infrastructure, and content delivery. Each subprocessor that can access your data must be listed in the provider’s subprocessor list. Your DPA should ensure that:
- You are notified of new subprocessors before they are added (with a right to object)
- Subprocessors are bound by the same data protection obligations as the main processor
- The main processor’s liability is not limited in the event of a subprocessor breach
AI Tools That Provide a DPA: Quick Comparison
The following table covers widely used AI tools and SaaS services. Each linked page contains a detailed review of the specific DPA for German deployments.
| Tool | DPA Available | Detailed Review |
|---|---|---|
| Claude Enterprise | Yes | Claude DPA review |
| ChatGPT Enterprise | Yes | Detail page |
| OpenAI API | Yes | Detail page |
| Cursor | Yes | Detail page |
| Notion AI | Yes | Detail page |
| ElevenLabs | Yes | Detail page |
| Canva AI | Yes | Detail page |
| Grammarly | Yes | Detail page |
| HubSpot | Yes | Detail page |
| Whisper | Yes | Detail page |
| Zapier | Yes | Detail page |
| Slack | Yes | Detail page |
| Make.com | Yes | Detail page |
| Zendesk | Yes | Detail page |
| Perplexity | Yes | Detail page |
| Descript | Yes | Detail page |
| Figma AI | Yes | Detail page |
| DeepL | Yes | Detail page |
| Intercom | Yes | Detail page |
| AWS Bedrock | Yes | Detail page |
| Airtable | Yes | Detail page |
| Asana | Yes | Detail page |
Note: Whether a vendor’s DPA is sufficient for your specific deployment depends on your data flows, data categories, and internal compliance requirements. This overview does not replace individual legal review.
What If a Vendor Refuses to Sign a DPA?
Some providers — particularly smaller or non-European services — decline to provide a DPA. Your options in this situation:
1. Stop using the service. If a tool processes personal data and no DPA can be agreed, using it is unlawful under GDPR. Ceasing use is the legally sound response.
2. Find a compliant alternative. European vendors or privacy-forward providers often offer full DPAs and EU data residency. Switching eliminates the compliance gap.
3. Minimize data exposure. If a tool is operationally critical, assess whether the data flow can be redesigned so that no personal data is transmitted — for example, by pseudonymizing data before input.
4. Individual legal assessment. In exceptional cases, it may be possible to rely on individual consent from each affected data subject as the legal basis. This is operationally complex and rarely scalable.
Hoping that no supervisory authority will notice is not a compliance strategy. German data protection authorities — including the Bavarian State Office for Data Protection Supervision (BayLDA), the Berlin Commissioner for Data Protection, and the Hamburg DPA — actively audit and enforce GDPR obligations.
DPA Compliance Checklist Before Deploying a New Tool
Before putting a new service into production that processes personal data:
- DPA received from the vendor?
- All Article 28(3) GDPR mandatory elements present?
- Processing purpose clearly defined and limited to service operation?
- Standard Contractual Clauses or alternative transfer instrument for data flows outside the EEA?
- Subprocessor list reviewed and accepted?
- DPA documented in your Article 30 GDPR Records of Processing Activities?
- Technical and organizational measures (TOMs) described and adequate?
- Data breach notification procedure in place?
- Data deletion or return procedure agreed for contract termination?
How Compound Law Can Help
Compound Law reviews DPAs in the context of your specific deployment — not just whether a DPA formally exists, but whether it covers your actual data flows, employee or customer data categories, and internal compliance requirements.
Typical services:
- DPA review: Completeness check, international transfer analysis, subprocessor chain assessment
- DPA template: Drafting a tailored agreement for your own processor relationships
- Article 30 Records: Documentation of all processing activities in your records of processing
- GDPR advisory: Overview of all GDPR obligations relevant to your business
Get in touch to find out whether your AI tools and SaaS services are properly covered under GDPR.
Frequently Asked Questions
What is a data processing agreement in simple terms?
A data processing agreement is a written contract required by GDPR that defines the rules under which an external service provider may process personal data on your behalf. It covers what data may be processed, for what purpose, with what security measures, and what happens to the data after the contract ends.
Does a verbal DPA satisfy GDPR requirements?
No. Article 28(9) GDPR requires the agreement to be in writing, including in electronic form. A verbal agreement is not legally effective and does not satisfy the GDPR requirement.
What is the difference between a DPA and Standard Contractual Clauses?
A DPA governs the controller-processor relationship under Article 28 GDPR and applies to all processing of personal data by the provider. Standard Contractual Clauses (SCCs) are a separate mechanism under Article 46 GDPR used specifically to legitimize data transfers to countries outside the EEA. Many DPAs include SCCs as an addendum for international transfer scenarios.
Do free SaaS tools require a DPA?
Yes, if the tool processes personal data. GDPR does not distinguish between paid and free services — the obligation arises from the nature of the data processing, not the price. However, many free tools do not offer a DPA, which makes their use with personal data legally problematic.
How long should I retain a signed DPA?
You should retain the DPA for at least the duration of the provider relationship and for the applicable limitation period after contract termination — typically three to five years under German law.
What is the German term for a data processing agreement?
The German term is Auftragsverarbeitungsvertrag, commonly abbreviated as AVV. The concept is identical to the DPA under GDPR. German companies often use both terms interchangeably when communicating with domestic providers.
