What is a DPA (Data Processing Agreement)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
A Data Processing Agreement (DPA) is a contract between you (the data controller) and your service providers (the processors) that says: here's exactly how you're allowed to handle our subscriber data. Without it, you're technically violating GDPR even if everything else about your email program looks compliant.
Here's why you need it: You're storing subscriber data somewhere (your ESP, your CRM, your analytics platform). Those vendors touch that data on your behalf. GDPR says you must have a written agreement that spells out what they can and can't do with it. No agreement? No protection. You're personally liable if they mess up.
A compliant DPA covers specific things. It describes what data they're processing, how long they're processing it, and what they're doing with it. It locks in their obligations around security, confidentiality, and how they handle data breaches. It spells out your right to audit them and verify they're following the rules. It covers what happens if they want to use subprocessors (vendors working below them). And it says what happens to your data when the contract ends. Most major ESPs and SaaS providers now offer standardized DPAs you can execute online, though you should glance through them to make sure they fit your actual setup.
DPAs aren't just legal theater. They're practical. When (not if) something goes wrong with a vendor, the DPA tells you who's responsible for notifying affected subscribers, who pays for remediation, and where the liability sits. It's your contractual safety net.
Start here: Ask your ESP, CRM, and any other vendor touching subscriber data for their DPA. If they don't have one, that's a red flag. If they do, skim it for three things. One, confirm it covers all the data you're actually sending them. Two, check that it mentions GDPR compliance specifically (not just "applicable laws"). Three, verify it spells out your right to audit. Once you've got signed DPAs in place with all your vendors, you can confidently move to the next item on your compliance checklist.
Related reading: what GDPR requires of you and the key GDPR requirements for email.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.