AGIDAT – Datenschutz | Informationssicherheit

Data Processing Agreements

DPA review and vendor assessment — legally sound contractual arrangements.

When is a DPA required?

Under Art. 28 GDPR, a Data Processing Agreement is mandatory whenever you engage a third party (a "processor") to process personal data on your behalf. This applies to cloud services, IT providers, payroll processors, email marketing platforms, CRM systems, and many more. A missing or inadequate DPA is one of the most common GDPR violations found in audits.

What we do for you

  • Processor inventory — identify all vendors that process personal data on your behalf
  • DPA gap analysis — which vendors have no DPA? Which DPAs are incomplete?
  • DPA review — are existing DPAs Art. 28 GDPR compliant?
  • DPA negotiation support — helping you request and review vendor-provided DPAs
  • Standard Contractual Clauses — assessment of SCCs for third-country transfers
  • Vendor risk assessment — is each processor sufficiently secure?

Practical outcome

You receive a complete processor register, all required DPAs in place, and documented evidence of your Art. 28 GDPR compliance — ready for supervisory authority inspections or client security questionnaires.