Anthropic Data Processing Addendum — GDPR Review Guide

Does Anthropic's DPA satisfy GDPR Article 28?

Anthropic's DPA covers GDPR Article 28 mandatory elements and includes SCCs for international data transfers. For enterprise Claude deployments in Germany, the DPA is a valid starting point — but workflow, transfer paths, and specific data categories require individual review.

• The Anthropic DPA incorporates SCCs under Article 46(2)(c) GDPR for EU-US data transfers.
• GDPR Art. 28 mandatory elements are addressed, but fit depends on the workflow and data categories.
• Employee data, Article 9 special-category data, and sector regulations require deeper analysis.

Anthropic’s Data Processing Addendum (DPA) is the contractual instrument governing GDPR Article 28 compliance when using Claude Enterprise or the Claude API. It includes Standard Contractual Clauses (SCCs) for international data transfers and covers the mandatory processor obligations required for commercial AI deployments in Germany and across the EU. For enterprise procurement teams, the central question is not whether the DPA exists — it does — but whether its scope, specific clauses, and transfer mechanisms satisfy the requirements of the planned deployment. This guide examines what the Anthropic Data Processing Addendum actually contains, where it is sufficient, and where additional legal analysis is required.

This page provides general information and is not legal advice for a specific situation. For practical steps on accessing and executing the DPA, see our page on Anthropic DPA access and compliance. For a broader GDPR review framework for Claude, see our page on Claude GDPR compliance.

What Is Anthropic’s Data Processing Addendum?

Anthropic’s Data Processing Addendum is the Article 28 GDPR contract governing the relationship between an enterprise customer (as the data controller) and Anthropic (acting as the data processor) when personal data is processed through Claude Enterprise or the Claude API. The DPA is incorporated into Anthropic’s commercial terms — it is not available as a standalone PDF download and does not apply to free Claude.ai accounts.

The DPA serves two core legal functions:

1. Processor obligations under Article 28 GDPR: It establishes the contractual framework covering subject matter, purpose, duration, data categories, instructions, subprocessors, and data subject rights.
2. International data transfer mechanism: It provides Standard Contractual Clauses (SCCs) under Article 46(2)(c) GDPR for transfers of EU personal data to countries without an EU adequacy decision, including the United States.

Unlike some enterprise vendors, Anthropic does not require manual execution of a separate DPA document. The agreement is incorporated into the commercial terms by reference and becomes effective when a customer accepts those terms for a paid plan. Enterprise customers typically confirm the DPA electronically through the Anthropic Console or via their account management channel.

In German-language compliance contexts, the Anthropic DPA is the legal equivalent of the Auftragsverarbeitungsvertrag (AVV) — both terms refer to the Article 28 GDPR instrument. For a detailed explanation of the German AVV context, see our page on Claude AVV.

Does Anthropic’s DPA Satisfy GDPR Article 28?

GDPR Article 28 sets out specific requirements that any contract between a controller and processor must satisfy. Whether the Anthropic DPA meets these requirements for a given deployment depends on both the DPA’s clauses and the fit between those clauses and the specific workflow.

Required Clauses Under GDPR Article 28

Under Article 28(3) GDPR, a valid data processing agreement must stipulate at minimum:

• Processing only on documented instructions: The processor acts solely on the controller’s instructions.
• Confidentiality obligations: Personnel authorized to process personal data are bound by confidentiality commitments.
• Security measures under Article 32 GDPR: Technical and organizational measures appropriate to the risk.
• Subprocessor conditions: The processor obtains the controller’s prior authorization for subprocessors and imposes equivalent obligations on them.
• Controller assistance: The processor assists the controller with data subject rights (access, erasure, rectification), DPIAs, security obligations, and breach notification.
• Deletion or return at termination: The processor deletes or returns all personal data at the end of the contract.
• Audit support: The processor provides all information necessary to demonstrate compliance and supports audits.

These are the minimum substantive requirements that any DPA — including the Anthropic DPA — must address.

What the Anthropic DPA Includes

Anthropic’s DPA addresses the Article 28(3) mandatory elements in principle. Key provisions typically cover:

• Instruction-based processing: Anthropic commits to processing personal data only on documented customer instructions.
• Confidentiality: Anthropic personnel with access to customer data are bound by confidentiality obligations.
• Security (Article 32 GDPR): Technical and organizational measures are referenced, with details in Anthropic’s security documentation.
• Subprocessors: Anthropic maintains a subprocessor list and provides a change notification mechanism. The DPA specifies that equivalent data protection obligations are passed to subprocessors.
• Data subject rights support: Anthropic commits to supporting the controller’s obligations for access, erasure, and correction requests.
• Deletion and return: The DPA specifies Anthropic’s data deletion practices at contract termination.
• Standard Contractual Clauses: SCCs for international data transfers are incorporated into the commercial terms automatically.

Companies should obtain the current DPA text at the time of evaluation and verify each element against the planned workflow. In-principle coverage does not guarantee adequacy for every specific deployment or data type.

Gaps and Limitations to Be Aware Of

No single DPA eliminates an organization’s own compliance obligations. Key areas where the Anthropic DPA requires supplementary analysis include:

Transfer architecture: The SCCs cover the legal mechanism for international transfers, but companies must independently map transfer paths, verify subprocessor locations outside the EEA, and assess whether a Transfer Impact Assessment (TIA) is required.

Subprocessor change mechanism: The standard Anthropic DPA uses a notice-based mechanism — customers are informed of subprocessor changes but may need to opt out proactively rather than affirmatively approving each change. Organizations with stricter subprocessor control requirements should review this mechanism carefully.

Audit rights in practice: The DPA includes audit provisions, but exercising audit rights under cloud AI service agreements typically means reviewing third-party certifications and documentation rather than conducting on-site inspections. Companies with stringent internal audit requirements should clarify what the audit mechanism entails before execution.

Sector-specific provisions: The Anthropic DPA is a standard enterprise agreement without sector-specific provisions for financial services, healthcare, or regulated professional services. Regulated-sector companies must assess whether supplementary contractual measures or certifications are required.

German co-determination (BetrVG): The DPA covers data protection obligations but does not address German co-determination requirements under § 87(1) No. 6 BetrVG. Works council consultation obligations for certain AI monitoring or analytics applications arise independently of the DPA review.

Standard Contractual Clauses (SCCs) in Anthropic’s DPA

Standard Contractual Clauses are the primary legal mechanism for transferring personal data from the EU/EEA to countries without an EU adequacy decision. Anthropic incorporates SCCs into its commercial terms for data transfers to the United States and other countries outside the EEA.

Which SCC module applies?

For enterprise customers contracting directly with Anthropic, the applicable SCC module is Module Two (Controller to Processor). This covers the data flow from the enterprise customer (controller) to Anthropic (processor) for personal data processed outside the EEA. The 2021 EU Commission SCCs apply.

What SCCs do not cover:

SCCs are a contractual transfer mechanism — they do not guarantee equivalent data protection in the destination country. Following the Schrems II judgment (Case C-311/18, Data Protection Commissioner v Facebook Ireland), the European Data Protection Board has confirmed that companies must carry out a Transfer Impact Assessment (TIA) where SCCs are the relied-upon transfer mechanism.

For US transfers specifically, the EU-US Data Privacy Framework (DPF) established in 2023 provides an alternative adequacy mechanism. Where Anthropic is a certified participant in the DPF, companies may be able to rely on adequacy rather than SCCs for covered transfers — the current certification status should be verified at the time of procurement.

Documentation requirements under GDPR:

Companies relying on SCCs must:

1. Document the transfer in the Record of Processing Activities (ROPA) under Article 30 GDPR.
2. Record the SCC version, effective date, and parties to the SCC.
3. Assess and document whether supplementary measures are needed given the legal framework of the destination country.

For German companies, the current guidance from the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) on SCCs and US transfers should be consulted for enforcement expectations at the time of deployment.

EU Data Residency and the Anthropic DPA

A common question in European enterprise procurement is whether data processed through Claude can be kept within the EU under the Anthropic DPA. This requires distinguishing between three related but legally distinct concepts:

EU data storage: Personal data is stored on servers physically located within the EU/EEA.

EU data processing: All processing operations, including model inference, are executed on infrastructure within the EU/EEA.

EU-only access: No personnel or automated systems outside the EU/EEA can access the data.

Anthropic’s standard commercial architecture does not guarantee EU-only processing or storage for all workflow configurations. The DPA with SCCs provides the legal transfer mechanism, but SCCs authorize international transfers rather than preventing them. Organizations that require strict EU data residency — for example, those subject to sector-specific data localization requirements — must verify the actual technical architecture, not only the contractual provisions.

Anthropic has introduced EU-specific hosting options for certain products. The scope, availability, and technical architecture of these options should be confirmed at procurement time. Contractual commitments to EU data processing should be obtained in writing. For current status and analysis, see our detailed page on Claude EU Hosting.

The DPA alone is not a substitute for a clear written statement of data processing locations. For any deployment where EU data residency is a hard requirement, obtaining written confirmation of the processing architecture is an essential procurement step.

How to Execute the Anthropic DPA for Your Organization

Executing the Anthropic DPA is procedurally straightforward for direct commercial customers, but legal and compliance teams should treat execution as the beginning — not the end — of the compliance process.

Step 1 — Confirm the applicable commercial terms: Verify which Anthropic product plan applies (Claude Enterprise or Claude API) and that the current terms incorporate the DPA. Enterprise customers should confirm the specific terms version through their account manager.

Step 2 — Access and review the DPA: The current DPA is available electronically through the Anthropic Console (console.anthropic.com) or via help.anthropic.com. Legal or privacy teams should review the DPA against the planned workflow before the commercial terms are accepted.

Step 3 — Record the execution: Document internally that the DPA has been reviewed and accepted. Retain a copy of the DPA as it appeared at execution alongside the commercial terms. Record the DPA acceptance in the vendor management system.

Step 4 — Map the DPA to the ROPA: Add the Anthropic processing activity to the organization’s Record of Processing Activities under Article 30 GDPR, recording the legal basis, data categories, transfer mechanism (SCCs), and relevant subprocessors.

Step 5 — Register for subprocessor change notifications: Set up notifications for Anthropic subprocessor updates and calendar reminders to review changes as they occur, assessing whether updates require revising the ROPA or triggering internal approval.

Step 6 — Assess supplementary requirements: Based on the data types and workflow, determine before go-live whether a Data Protection Impact Assessment (DPIA) under Article 35 GDPR, a Transfer Impact Assessment, or works council consultation under § 87(1) No. 6 BetrVG is required.

Anthropic DPA vs AWS Bedrock DPA — Key Differences

Companies evaluating Claude through Amazon Bedrock rather than directly through Anthropic must understand a critical procurement distinction: the Anthropic DPA does not govern data processed through AWS Bedrock. When Claude is accessed via Amazon Bedrock, the AWS contractual stack applies — including the AWS DPA and AWS-specific SCCs.

The practical differences for compliance teams:

Topic	Direct Anthropic (Claude Enterprise / API)	Claude via AWS Bedrock
Governing DPA	Anthropic DPA	AWS DPA
Transfer mechanism	Anthropic SCCs	AWS SCCs
Subprocessor list	Anthropic subprocessor list	AWS subprocessors (Anthropic is an AWS sub-processor)
Data residency options	Per Anthropic service terms	AWS EU region controls apply
Audit rights	Per Anthropic DPA	Per AWS DPA

For companies that already have a comprehensive AWS DPA in place, deploying Claude via Bedrock may simplify vendor management — the GDPR analysis runs within the existing AWS framework rather than adding a new vendor. However, the technical capabilities, SCC terms, and subprocessor obligations are then governed by AWS, not Anthropic.

Companies comparing the two procurement paths from a GDPR perspective should evaluate whether the AWS contractual framework meets internal requirements, whether EU region controls are available for the specific Bedrock Claude model, and whether subprocessor obligations passed through the AWS chain are equivalent to what Anthropic offers directly. For a detailed GDPR analysis of AWS Bedrock, see our page on AWS Bedrock GDPR compliance.

Compound Law advises businesses and in-house teams in Germany on GDPR, AI contracts, and AI procurement. If you want a legal review of the Anthropic DPA against your specific deployment before rollout, contact us.

FAQ

Is the Anthropic DPA GDPR compliant?

Anthropic’s DPA is structured to cover the mandatory requirements of GDPR Article 28 — including instruction-based processing, confidentiality, security, subprocessor controls, data subject rights support, deletion, and audit provisions. The DPA also includes SCCs for international transfers. Whether it is sufficient for a specific company’s deployment depends on the workflow, data categories, and any applicable sector regulation. “GDPR compliant” also requires a valid legal basis, a complete ROPA entry, and any required DPIAs — the DPA is one element of that picture.

Do German companies need a separate AVV with Anthropic?

No. When contracting directly with Anthropic, the DPA functions as the Auftragsverarbeitungsvertrag (AVV) under the German implementation of the GDPR. It is incorporated into the commercial terms. German companies do not need a separate German-language AVV document, but should verify that the DPA covers the specific workflow, data categories, and any German-law obligations relevant to the deployment — for example, co-determination requirements under § 87(1) No. 6 BetrVG for certain employee data use cases.

What SCCs does Anthropic use in its DPA?

Anthropic incorporates Standard Contractual Clauses under Article 46(2)(c) GDPR — specifically Module Two (Controller to Processor) — for international data transfers, including transfers to the United States. These are the 2021 EU Commission SCCs. Companies must still carry out a Transfer Impact Assessment where required by the guidance of the competent data protection authority, and should check whether Anthropic’s participation in the EU-US Data Privacy Framework provides an alternative adequacy basis at the time of deployment.

How long does Anthropic retain data under its DPA?

The DPA requires Anthropic to delete or return personal data at the end of the contract. Specific retention periods vary by product and are documented in Anthropic’s service terms and data practices. Companies should verify current retention terms against their own data minimization obligations under GDPR Article 5(1)(e) and confirm the deletion timeline — including how deletion can be triggered — at the time of execution.

Can the Anthropic DPA be negotiated for enterprise?

Anthropic’s standard DPA is incorporated into the commercial terms and is not individually negotiable for all customers. Enterprise customers on the Claude Enterprise plan may have the opportunity to discuss specific contractual requirements through their account management channel. Whether bespoke DPA amendments — such as stricter subprocessor approval rights or enhanced audit provisions — are available depends on the size of the engagement and Anthropic’s current enterprise contracting policy. Companies with specific requirements should raise them during the enterprise negotiation phase before accepting the standard commercial terms.