Skip to main content
Metasoul Docs
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Metasoul Docs
  2. /
  3. Data privacy tips & tricks
  4. /
  5. Data processing agreements

Data processing agreements

What must a Data processing agreement (DPA) include?

The scope of a DPA can be chosen individually but must meet at least the minimum requirements of Article 28 of the GDPR. Tools such as Metasoul or the Metasoul DPA Generator can be used to create and manage GDPR-compliant Data Processing Agreements efficiently. If a DPA is to be drafted independently, it must at least contain the following points:

  • Subject matter and duration of processing: What is being processed, and what are the time limitations for the processing?
  • Nature and purpose of processing: What processing activities are carried out and for what purpose?
  • Type of data and categories of data subjects: What personal data from which groups of individuals may be processed as part of the data processing?
  • Obligations and rights of the data controller (contractor) and the data processor (client): What instructions and control rights are in place?
  • Processing only on documented instructions: A clause stating that the data processor may only act based on documented instructions.
  • Confidentiality rules: Includes the obligation of confidentiality for all individuals involved in processing.
  • Technical and organizational measures (TOM): Describes the data security measures as outlined in Article 32 of the GDPR.
  • Regulations for sub-processors: Contains rules regarding the handling of processors engaged by the data processor (sub-processors).
  • Rules for supporting data subject rights: Specifies how the data processor will assist in responding to data subjects’ requests to exercise their GDPR rights.
  • Rules for supporting obligations under Articles 32–36 of the GDPR: Specifies how the data processor will assist the data controller in fulfilling specific GDPR obligations.
  • Return/deletion of data after contract termination: Specifies how personal data is handled once the contract ends.
  • Regulations on audit and control rights by the data controller: Includes the data controller’s right to audit the data processor for compliance with the DPA.
  • Obligation to inform in case of unlawful instructions: Specifies the obligation of the data processor to inform the data controller if an instruction violates the GDPR.

Who is responsible for managing a Data processing agreement (DPA)?

The data controller (Verantwortlicher) bears the primary responsibility for concluding, defining, and continuously monitoring the Data Processing Agreement (DPA). They must select appropriate data processors and ensure that a valid DPA is in place before data processing begins.

Particularly with cloud services or services provided uniformly to all customers, it has become common practice for the service provider to offer a pre-drafted DPA, which the data processor accepts. This approach is generally acceptable; however, it does not relieve the data controller of their responsibility for ensuring the DPA is properly executed.

With Metasoul, GDPR-compliant Data Processing Agreements can be created from both the perspective of the data controller and the service provider (data processor).

Does a Data processing agreement (DPA) need to be signed?

A signature is not strictly required. It only needs to be verifiable that both the data controller and the data processor have accepted the Data Processing Agreement (DPA) and that it is legally binding. It is common for the General Terms and Conditions (T&C) to reference the DPA, so that by using a service, the General Terms and Conditions and, therefore, the DPA are accepted.

Must I comply with the requirements set out in a Data processing agreement (DPA)?

Yes, absolutely! Compliance with the obligations outlined in the DPA is binding for both parties. Violations can result in fines and claims for damages. The data controller must regularly monitor compliance; the data processor must strictly implement the requirements.

What should I do if changes occur in a DPA?

If the circumstances of data processing (e.g., new subcontractors, different types of data, modified processes) or legal requirements change, the Data Processing Agreement (DPA) must be adjusted accordingly. The change must be documented in writing and confirmed by both parties (Controller and Processor). It is usually sufficient for the other party to be informed about the change, and the change will be considered accepted after a certain period (for example, two weeks) without objections. Ideally, the manner in which changes are handled is directly regulated in the DPA.

The DPA should be regularly reviewed to ensure its relevance. The use of tools like Metasoul offers the following benefits:

  • Data Processing Agreements can be created and managed in compliance with the GDPR.
  • Regular reminders are provided for reviewing the DPA, and changes to documented processes are automatically incorporated into the DPA.
  • Changes can be easily shared with the Controller or client (e.g., through dynamic embedding on the website).