What is a Data Processing Agreement
and Do I Need One?
If your business uses Stripe for payments, Mailchimp for emails, Google Analytics for website tracking, AWS or Azure for hosting, or any other third-party service that handles personal data on your behalf, you are legally required to have a Data Processing Agreement (DPA) with each of those providers. This is not optional. It is a mandatory requirement under Article 28 of the GDPR.
Most Irish businesses do not have DPAs in place. Many do not even know they need them. The Data Protection Commission (DPC) is actively enforcing this requirement, and in 2025, a German regulator issued a EUR 15 million fine specifically for deficient data processing agreements. This is a real risk, not a theoretical one.
What is a Data Processing Agreement?
A DPA is a contract between a data controller (your business, which decides why and how personal data is processed) and a data processor (the third-party service that processes personal data on your behalf). It sets out the terms under which the processor handles personal data, ensuring that both parties comply with the GDPR.
Article 28(3) of the GDPR specifies mandatory provisions that every DPA must include: the subject matter, duration, nature and purpose of the processing; the type of personal data processed; the categories of data subjects; the obligations and rights of the controller; requirements around sub-processors; data security measures; assistance with data subject rights requests; deletion or return of data at the end of the contract; and audit rights for the controller.
When Do You Need One?
You need a DPA with every third-party service that processes personal data on your behalf. Common examples for Irish businesses include: payment processors (Stripe, PayPal, Square), email marketing platforms (Mailchimp, Kit, HubSpot), cloud hosting providers (AWS, Google Cloud, Microsoft Azure, Netlify), CRM systems (Salesforce, Pipedrive, HubSpot), website analytics (Google Analytics, Hotjar), HR and payroll software (BrightPay, Sage), accounting software (Xero, QuickBooks), customer support tools (Zendesk, Intercom), and cloud storage (Google Drive, Dropbox, OneDrive).
Many of these providers have their own standard DPA that you can sign. However, their standard terms may not adequately protect your business. For example, some standard DPAs give the processor broad rights to use sub-processors without your approval, or limit your audit rights. A custom DPA ensures you have the controls that are appropriate for your risk profile.
What the DPC Expects
The Irish Data Protection Commission has published specific guidance on controller-processor contracts. Their Practical Guide to Controller-Processor Contracts lists the mandatory provisions from Article 28(3) and recommends additional clauses including: provisions for cooperation between controller and processor, liability and indemnification arrangements, insurance requirements, and clear procedures for handling data breaches.
The DPC's enforcement activity has been significant. Ireland is responsible for EUR 4.04 billion in cumulative GDPR fines since May 2018, largely because many multinational tech companies have their European headquarters here. While the headline fines target large corporations, the DPC also investigates complaints against smaller businesses, and a missing or inadequate DPA is one of the easiest compliance failures to identify.
Controller vs Processor: Getting the Classification Right
The DPA only applies where there is a controller-processor relationship. If two businesses independently decide what to do with personal data, they are "joint controllers" and need a different type of agreement (an Article 26 joint controller arrangement). If a business shares data with another business that processes it for its own purposes, that business is an independent controller and a DPA is not appropriate.
For most Irish SMEs, the relationship with service providers like Stripe, Mailchimp, and AWS is clearly a controller-processor relationship: your business decides what data is collected and why, and the service provider processes it on your behalf according to your instructions. This is the scenario where a DPA is required.
Sub-Processors: The Hidden Risk
Your processor almost certainly uses sub-processors. Mailchimp uses AWS for hosting. Stripe uses banking partners for payment processing. Under the GDPR, your DPA must address how sub-processors are managed. You can require the processor to obtain your prior written consent before engaging new sub-processors, or you can allow a general authorisation with an obligation to inform you of changes and give you the right to object.
The DPA should require the processor to impose the same data protection obligations on any sub-processor as are imposed on the processor itself. If a sub-processor fails to fulfil its obligations, your processor remains fully liable to you.
International Transfers
If your processor transfers personal data outside the EEA (for example, to servers in the United States), additional safeguards are required. Since the EU-US Data Privacy Framework was adopted in July 2023, transfers to US companies that are certified under the framework are permitted. For transfers to other non-EEA countries, Standard Contractual Clauses (SCCs) are typically required. Your DPA should address where data is stored, whether transfers occur, and what safeguards are in place.
What Happens If You Do Not Have One?
Failing to have a DPA in place is a breach of Article 28 of the GDPR. The maximum fine for a GDPR breach is EUR 20 million or 4% of global annual turnover, whichever is higher. In practice, fines for missing DPAs have been in the tens of thousands to millions of euros. Beyond fines, a missing DPA means you have no contractual mechanism to ensure your processor handles data securely, no right to audit how your data is being processed, no clear process for handling a data breach, and no obligation on the processor to help you respond to data subject access requests.
If a data breach occurs at your processor and you do not have a DPA, your business bears the full legal risk.
This is a self-service document generation tool. It does not constitute legal advice. For complex or high-value situations, we recommend consulting a solicitor.