Legal & Compliance
Data Processing Agreement (DPA)
The short answer
A Data Processing Agreement is the contract required under Art. 28 GDPR between a company and a service provider who processes personal data on its behalf. For AI tools, it's mandatory once customer or employee data passes through the system — it governs purpose, security, subprocessors, and data deletion.
Why the DPA matters for AI tools
Whenever an external provider — whether AI chatbot, transcription service, or document AI — processes personal data on your behalf, Art. 28 GDPR requires a Data Processing Agreement. It specifies what the provider can do with the data, what technical and organisational safeguards it implements, which subprocessors it engages, and what happens to the data when the contract ends.
With AI providers, two points deserve special attention. First: whether inputs are used to train models — this should be contractually excluded. Second: the list of subprocessors and server locations, since many AI services rely on cloud infrastructure in third countries, requiring additional safeguards such as Standard Contractual Clauses.
How to proceed in practice
Before implementing an AI tool: request and review the provider's DPA (usually available as a standard document from established providers), check server locations and subprocessors, verify the training exclusion, and add the tool to your processing inventory. It sounds extensive, but with reputable providers it's done in a short timeframe — the documents are ready to use.
Important: the DPA doesn't remove your own responsibility. As the controller, you remain obligated to select only suitable service providers and ensure that processing overall is lawful.
Third-country transfers: what to watch with US providers
Many leading AI services come from US providers or run on US cloud infrastructure — from a data protection perspective, that's a third-country transfer requiring additional safeguards. Two approaches are standard: the provider is certified under the EU-US Data Privacy Framework (the adequacy decision in force since July 2023), or Standard Contractual Clauses are agreed, usually included as part of the DPA package. Which applies is stated in the provider's data protection documentation — and should be briefly verified during tool review.
Increasingly, major AI providers also offer EU data processing: requests are then processed on servers within the EU, which simplifies the third-country question for ongoing use. For companies with sensitive data, this is often the simplest approach — same model quality, but much clearer legal standing. When selecting a provider, it's worth asking about an EU region from the outset; switching later is possible but unnecessary effort.
Keeping track of the subprocessor chain
One often-overlooked aspect of the DPA is the chain of subprocessors behind it. Hardly any AI provider operates its entire infrastructure in-house: typically the models run on a third party's cloud, data storage with another service provider, support or monitoring with a fourth. Each of these subprocessors potentially processes data — and the DPA must map this chain. Art. 28 GDPR requires that subprocessors are only engaged with permission and are subject to the same data protection obligations as the main processor. Reputable providers therefore maintain a public, current list of their subprocessors and notify of changes.
For practice, this means two things. First: the subprocessor list should be part of your tool review — a quick look shows which other companies and server locations are involved, especially relevant if any are in third countries. Second: responsibility doesn't end with signing the contract. If the provider changes subprocessors, you should be informed and able to respond if needed, including objecting in extreme cases. Once you've properly documented the chain and added it to your processing inventory, you have solid ground if a regulator inquires — and you avoid the uncomfortable situation of not knowing where your data ultimately ends up.
DPA review in practice: the decisive points
Getting a DPA and actually reviewing it are two different things. A short checklist covers the essentials: Is it stated that inputs won't be used for model training? Are all subprocessors named and a complete subprocessor list available? What server locations are used — EU or third country, and with what safeguards? What happens to the data when the contract ends — deletion, return, in what timeframe?
With US providers, the third-country transfer is the critical point. Two approaches are common: the provider is certified under the EU-US Data Privacy Framework, the adequacy decision in force since July 2023. Or Standard Contractual Clauses apply as part of the DPA package. Which applies is stated in the provider's data protection documentation. Increasingly, major AI providers offer EU data processing — this eliminates the third-country question for ongoing use. It's worth asking about an EU region upfront when selecting a provider, because switching later is always more effort than getting it right from the start.
Practical example
A trades company implements AI-powered invoice processing. Before launch, it reviews the provider's DPA: EU server location, no training on customer data, clearly named subprocessors. The contract is digitally signed, the tool added to the processing inventory — the entire review takes less than one working day.
Frequently asked questions about Data Processing Agreement (DPA)
What happens if I don't have a DPA?
Processing is then formally unlawful — a violation of Art. 28 GDPR subject to fines. Regardless of penalty risk, without a DPA you also lack any contractual protection specifying what the provider can do with your data.
Do all AI providers offer a DPA?
Established providers with business plans: yes, usually as a standard document (often called a Data Processing Agreement/DPA). Free consumer offerings frequently lack one — another reason to use business accounts for commercial use.
Is the provider's standard DPA sufficient?
In most cases yes, if it covers the mandatory contents of Art. 28 GDPR and excludes training on your data. For particularly sensitive data (health, finance), closer review of technical safeguards and subprocessors is worthwhile.
Do I need to know the provider's subprocessors?
Yes — Art. 28 GDPR requires that subprocessors are only engaged with permission and are subject to the same obligations. Reputable providers maintain a public, current list and notify of changes. This list should be part of your tool review: it shows which other companies and server locations are involved.
What is the EU-US Data Privacy Framework, and is it sufficient as a basis for data transfer?
The EU-US Data Privacy Framework is an adequacy decision by the EU Commission from July 2023, certifying that participating US companies provide data protection comparable to EU levels. For certified providers, additional Standard Contractual Clauses aren't necessary — the decision alone serves as a third-country safeguard. Whether a provider is certified can be checked in the official framework list. Note: like its predecessors Safe Harbour and Privacy Shield, the decision can be legally challenged; those needing maximum protection may choose EU data processing or Standard Contractual Clauses as additional measures.
Relevant to your industry
Related terms
How relevant is this for your business?
In the free intro call we look at your specific process.