Additional Services

Article 28 – processor agreement

What is a processor agreement?

The processor agreement, also known as a data processing agreement (DPA), is a legally binding contract or agreement established between a data controller and a data processor. It outlines the terms and conditions regarding the processing of personal data on behalf of the data controller by the data processor.

The processor agreement is required under Article 28 of the GDPR and serves to define the responsibilities and obligations of the data processor in handling the personal data of individuals.

What is the purpose of a DPA?

The DPA sets forth specific requirements for data processors to ensure they handle personal data securely, maintain confidentiality, and comply with the GDPR. It serves to establish a clear framework for the protection of personal data and defines the relationship between the data controller and data processor in terms of data processing activities.

What does the DPA stipulate?

The DPA stipulates, in particular, that the processor:

  • processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organization
  • ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
  • takes security measures
  • shall not engage another processor without prior specific and general written authorization of the controller
  • assists the controller by appropriate TOMs, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights
  • assists the controller in ensuring compliance with certain obligations
  • at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data
  • makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

Difference between a DPA and a joint controller agreement

A DPA is a legal contract between a data controller and a data processor, where the processor acts as a service provider processing data on behalf of the controller. The agreement outlines the responsibilities and obligations of the processor, who follows the instructions of the controller.

A Joint Controller Agreement, on the other hand, is a legal arrangement between two or more data controllers who jointly determine the purposes and means of data processing. Each controller has shared decision-making authority and specific obligations under the agreement.

In summary, a DPA governs the relationship between a data controller and a data processor, while a Joint Controller Agreement governs the collaboration and shared responsibilities between multiple data controllers.


A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

No, the processor agreement must be in writing. This can also be in electronic form. When do I need a processor agreement?

Where processing is to be carried out on behalf of a controller, the processing must be governed by a processor agreement. A processor agreement is a written contract or other legal act that is binding on the processor with regard to the controller and sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.

If the processor unlawfully exceeds its powers and determines the purposes and means of processing in violation of the processor agreement, it is considered a controller with respect to such processing. This means that it must fulfill all obligations of a controller. This may lead to possible liability.

As legal layman, this is hardly recognizable. It requires an expert opinion to find out, whether a processor agreement is compliant with the GDPR or not. We will be happy to support you in the review or establishment of your processor agreement.

Either the controller, the processor or both in cooperation must create a processor agreement. When creating the processor agreement, it is recommended to involve a person with legal affinity.

Our team will be happy to assist you.

Not having a processor agreement can result in an administrative fine of up to €10 million or 2% of the company’s global annual revenue of the previous financial year, whichever is higher.

If a data subject has suffered material or immaterial damage, he or she can claim for damages from the controller or processor.

The processor processes personal data on behalf of the controller, acts under the authority and instructions of the controller and is responsible for carrying out specific data processing activities.

The primary role of a processor is to handle and process personal data in accordance with the instructions provided by the data controller. This includes tasks such as collecting, storing, organizing, analyzing, transmitting, and deleting personal data as necessary for the purposes defined by the data controller.

A sub-processor is a third-party entity engaged by a data processor to carry out specific data processing activities on behalf of the data controller.

The processor may use sub-processors for processing if it has obtained the prior separate or general written consent of the controller. The processor must impose the same data protection obligations on the sub-processor by means of a written contract as those set forth in the contract between the controller and the processor.

A sub-processor contract can only arise if the processor has the prior separate or general approval of the controller. This authorization must be in writing or may be in electronic form. In the case of a general authorization (such as in the processor contract), the processor must additionally inform the controller of any intended change or addition of new sub-processors. It is important to note that the processor is liable for the actions of the sub-processor.

If the sub-processor breaches the contract between itself and the processor or violates the GDPR, the first processor shall be liable to the controller for compliance with the obligations of any other sub-processor.

Yes, the processor must have the written consent of the controller if it wishes to use a sub-processor. He can have this generally approved in the processor contract or obtain a separate approval from the controller.

Scroll to Top
Thank you for visiting, the website of Formamentum Technology GmbH in Austria. We use technologies from partners (1) to provide our services. These include cookies and third-party tools to process some of your personal data. These technologies are not strictly necessary for the use of the website, but they do enable us to provide a better service and to interact more closely with you. You can adjust or withdraw your consent at any time.
asd as asd