Data processing agreement: what it is and when you need one
If you work as a freelancer or small organisation with software that processes client data — an EHR system, accounting software, email marketing, or CRM — you are legally required to have a data processing agreement (DPA) in place with that vendor. This follows from GDPR Article 28.
Data processing agreement: what it is and when you need one
If you work as a freelancer or small organisation with software that processes client data — an EHR system, accounting software, email marketing, or CRM — you are legally required to have a data processing agreement (DPA) in place with that vendor. This follows from GDPR Article 28.
Who this guide is for
This guide is mainly for:
- freelancers, small organisations, and independent professionals who use software vendors to handle client or patient data
- readers in business, legal, or healthcare contexts where GDPR obligations are part of normal operations
- people who need to know whether a vendor is merely convenient or actually usable in a defensible way
For mainstream readers with no client-data responsibility, this is usually not a priority page. This guide matters once you are responsible for other people’s personal data, not only your own.
What you gain, and what it costs
If you handle this properly, you usually gain:
- less legal and operational ambiguity about what your vendors are allowed to do with client data
- a clearer paper trail for audits, incidents, or regulator questions
- a better filter for excluding vendors that are not suitable for professional data handling
But it costs something:
- some administrative work
- a little friction when choosing or onboarding vendors
- less freedom to use quick, free, or poorly documented tools
For professional contexts that is usually a reasonable trade. It becomes overkill only if you turn this into a legal paperwork exercise before identifying which vendors actually process client data on your behalf.
What is a data processing agreement?
A data processing agreement is a written contract between you (the data controller) and a vendor (the data processor) who processes personal data on your behalf.
The agreement establishes:
- Which data the processor may process, and for what purpose
- How the processor secures the data
- That the processor may not use the data for their own purposes
- How data breaches are reported
- That data is deleted or returned when the agreement ends
Without this agreement, you are liable for what the vendor does with the data — even if you had no knowledge of it.
When do you need one?
You need a data processing agreement whenever an external party processes personal data on your behalf. Examples:
| Situation | DPA required? |
|---|---|
| Accounting software (QuickBooks, Xero) with client invoices | Yes |
| EHR or case management system | Yes |
| Email marketing tool (Mailchimp, Brevo) with client list | Yes |
| CRM system (HubSpot, Pipedrive) | Yes |
| Cloud storage (Proton Drive, Tresorit) for client files | Yes |
| Your own accountant who processes data | Yes |
| Tools you use purely for yourself, without client data | No |
How to arrange it
Step 1 — Inventory your processors
Make a list of all software vendors and service providers who can see client data. Don’t forget: IT management, hosting, payroll administration.
Step 2 — Check whether a DPA already exists
Many large vendors have the data processing agreement already built into their terms of service or available as a separate document. Check:
- The vendor’s privacy or legal page
- Search for “[vendor name] data processing agreement” or “DPA”
Examples where this is handled by default:
- Proton Drive / Proton Mail — DPA available via proton.me/legal
- Google Workspace — Data Processing Amendment available
- Mailchimp — Data Processing Addendum to accept in account settings
- Microsoft 365 — Online Services Data Protection Addendum
Step 3 — Sign or accept
Sometimes clicking “agree” in account settings is sufficient. Sometimes you need to sign a document. Keep the confirmation.
Step 4 — Store the agreement
Keep the signed DPA or confirmation of acceptance. In the event of a supervisory authority audit you need to be able to demonstrate that the agreement exists.
What if a vendor doesn’t have one?
Small or unknown vendors sometimes have no standard DPA. In that case you can:
- Send your own model DPA — your national data protection authority usually provides a template
- Ask the vendor to draw one up
- Reconsider whether this vendor is suitable for processing client data
If a vendor refuses to enter into a DPA but does process client data, you legally cannot use that vendor for that purpose.
EU servers and transfers outside the EU
A data processing agreement governs the relationship, but says nothing about where the data is stored. For GDPR compliance, data about EU residents must be stored in the EU, or with a provider covered by an adequacy decision (e.g. Switzerland, Canada, UK).
Check with your processors:
- Where are the servers located?
- Is there an adequacy decision or Standard Contractual Clauses (SCCs) for transfers outside the EU?
Proton (Switzerland — adequacy decision), Tresorit (EU servers), and most major US providers via SCCs are generally fine. Unknown or free services: always check.
Records of processing activities
In addition to data processing agreements, as a data controller you are also required to maintain a record of processing activities: an overview of what personal data you process, for what purpose, and for how long.
A simple spreadsheet with columns (data category, purpose, retention period, processor, legal basis) is sufficient for a freelancer.
Next step
Go further
- GDPR data breach notification — your obligations once something actually goes wrong
Profiles
- Profile: healthcare professional — data processing agreements in healthcare
- Profile: freelancer or small business — GDPR obligations for the self-employed
Reviews
- Proton Drive review — GDPR-compliant storage