What is a DPA (Data Processing Agreement)?

A Data Processing Agreement (DPA) is a legally binding contract between a data controller and a data processor that governs how personal data will be handled. Under GDPR Article 28, controllers are required to have a DPA in place with every processor that handles personal data on their behalf. For email marketers, this means you need a DPA with your ESP, any third-party integrations that access subscriber data, and any vendors involved in data storage, analytics, or campaign execution. Without proper DPAs, you're technically violating GDPR even if all other aspects of your data handling are compliant.

A compliant DPA must include specific provisions mandated by the GDPR. These include the subject matter, duration, and nature of processing; the types of personal data and categories of data subjects involved; the processor's obligations regarding confidentiality, security measures, and sub-processor management; requirements for assisting the controller with data subject requests and breach notifications; provisions for audits and inspections; and terms for data return or deletion upon contract termination. Many ESPs and SaaS providers now offer standardized DPAs that can be executed electronically, though you should review them to ensure they adequately address your specific processing activities.

Beyond legal compliance, DPAs serve a practical purpose: they clarify responsibilities and create accountability when things go wrong. If a data breach occurs at your processor's end, the DPA establishes who is responsible for notification, remediation, and potential liability. It also provides a contractual mechanism for enforcing security standards and ensuring your vendors maintain appropriate protections. Treat DPAs not as bureaucratic paperwork but as essential risk management tools that protect both your business and your subscribers.