Introduction

Modern companies process personal data almost always via external service providers: cloud providers, SaaS tools, IT maintenance, specialised outsourcing services. Whenever these service providers process personal data on instruction, a Data Processing Agreement (DPA) under Art. 28 GDPR is mandatory.

In practice, however, reviewing DPAs is one of the most demanding, time-critical and error-prone tasks in day-to-day data protection and compliance work. The reasons: complex technical annexes, missing internal standards, tight deadlines and heterogeneous contract wording.

This article covers:

• What a DPA is and when it is required
• What minimum legal requirements apply
• Typical sources of error in DPA review
• The risks arising from inadequate DPAs
• Documented real-world cases from European authorities
• Examples of critical clauses from practice
• How AI-assisted DPA review significantly reduces the error rate
  

If you want to review your DPA fast, structured and risk-aware — book one of our Best Practice Packages!

👉 Try the Legartis Free NDA Review now

1. What is a Data Processing Agreement (DPA)?

A Data Processing Agreement (DPA) – also known as a "data processing contract" or in German "Auftragsverarbeitungsvertrag (AVV)" – is a legally required agreement between:

• the controller (the company that determines the purpose and means of processing), and
• the processor (the service provider that processes the data on behalf of the controller)

The DPA governs the controlled transfer of personal data and sets out the minimum requirements under Art. 28 GDPR. It ensures that personal data is processed under clearly defined conditions, with appropriate security measures and controllable responsibilities.

2. When is a Data Processing Agreement required under GDPR?

A DPA is always required whenever an external service provider processes personal data on instruction. Common examples include:

• Cloud-based software (CRM, HR systems, collaboration tools)
• Hosting or infrastructure services
• IT maintenance & remote support
• Payroll processing
• Customer support or call centres
• Data destruction or archiving

Important: The DPA must be concluded before processing begins.

‍

Review your DPAs with Legartis from now on — easy, fast and to best-practice standards!

👉 Start your free NDA review

3. Minimum content of a DPA (Art. 28 GDPR)

A complete DPA must, among other things, address the following points:

• Subject matter and duration of the processing
• Purpose
• Type of data & categories of data subjects
• Obligations of the processor (confidentiality, TOMs, duties to assist)
• Right to issue instructions
• Sub-processors (approval mechanisms, transparency)
• Return/deletion of data after the end of processing
• Documentation and audit rights
• Support for data subjects' rights
• Support for security incidents

These requirements form the legal minimum. In practice, DPAs are considerably more complex – mainly due to technical annexes, international data flows and differing drafting styles.

4. Typical pain points in DPA review

1. Missing or outdated playbooks and standards

Many companies do not have clear, up-to-date guidelines or a Contract Playbook for reviewing DPAs.

Consequences:

• Inconsistent risk assessments
• Inefficient coordination processes
• Discretion in areas that should be clearly defined
• Lack of comparability between suppliers

2. Lengthy and technically complex contracts

DPAs often run to 20–30 pages and include:

• TOM annexes
• Sub-processor lists
• Additional agreements for international transfers
• Separate SLA and incident-handling processes

3. Time pressure during onboarding

DPAs are often reviewed under heavy time pressure:

• A SaaS tool needs to go live immediately
• Internal pressure: procurement is pushing, IT is waiting, marketing wants to launch a campaign

The time pressure under which DPAs must be reviewed significantly increases the error rate.

—-

If you need a quick NDA review, use Legartis from now on.

If you need a quick DPA review, use Legartis from now on. Includes DPA Best Practice Playbook!

👉 Get started with Legartis

5. Risks of inadequate DPAs

Time pressure and the absence of uniform guidelines lead to errors in DPA review.

The resulting risks are significant, as the following examples illustrate.

Case 1: Missing DPA – fine in Germany

A German company was sanctioned because a service provider was processing personal data without a DPA being in place.
Fine: approx. EUR 5,000
Source: LEWENTO (analysis of an officially confirmed case)

Relevance:
Even a purely formal error – the missing contract – is already sanctionable.

Case 2: Several missing DPAs – fine in Hesse

The Hessian Data Protection Authority sanctioned a shipping company because several service providers it used were operating without a DPA.
Fine: up to EUR 5,000 per missing contract

Source: Hessian Data Protection and Freedom of Information Authority (Analysis: Fox Rothschild LLP)

Relevance:
Several contracts were missing – the authority treated this as a systemic organisational failure.

→ These cases show how important a structured DPA review is.

6. Examples of critical DPA clauses

1. Vague TOMs

"The processor implements appropriate security measures."
→ Insufficient, as TOMs must be specific.

2. Sub-processors without transparency

"The processor may engage sub-processors at any time."
→ Loss of control over data sharing.

3. Unbalanced liability

"Total liability capped at the annual fee."
→ Inappropriate in the event of data protection violations.

4. Illusory audit rights

"Audit only by means of annual certificates."
→ Authorities expect real audit possibilities.

5. Unclear incident notifications

No deadlines, no contact persons, no defined content.
→ Risk of late reporting.

7. How AI makes DPA review easier

Analysing a DPA is inherently demanding. In practice, three structural causes for errors can be identified:

1. Lack of uniform standards
   
2. Time pressure
   
3. The combination of legal and technical requirements
   
   

An AI-powered DPA review based on a legally developed Best Practice Playbook addresses exactly these structural factors – not as a substitute for legal expertise, but as a methodological amplifier.

1. AI with a Best Practice Playbook ensures uniform standards

Instead of subjective, case-by-case decisions, the AI reviews every contract:

• Against defined minimum standards
• With consistent assessment categories
• Reproducibly
• Regardless of who is reviewing

The result is an objectified risk assessment.

2. AI reduces time-pressure-related errors

DPAs often contain:

• Dozens of pages of technical annexes
• Long sub-processor lists
• Complex SCC implementations

The AI detects patterns, deviations and risk clauses in seconds – even where humans read selectively due to time pressure.

3. AI combines legal & technical expertise

The basis is a Best Practice Playbook reviewed by experienced lawyers that covers all relevant clauses, review rules and risk scenarios. It links, among other things:

• Legal requirements (Art. 28 GDPR, liability, data subjects' rights)
• Technical security standards (e.g. encryption, IAM, logging)
• Requirements for cloud architecture and the service provider chain
• International transfer rules (Standard Contractual Clauses / SCCs, Transfer Impact Assessments / TIAs)

The AI applies this knowledge consistently to every individual DPA. The result is a holistic assessment that is neither purely legal nor purely technical, but brings both perspectives together. All of this with high speed and precision.

4. AI enables scalable, reproducible quality

With the highest review speed and consistently high review quality, companies benefit from:

• Faster approvals
• Reliable results
• Fewer queries to legal
• Clear decision bases for business units
• Better documentation for audits

This makes the DPA review process standardisable and efficient, without sacrificing substantive depth.

Want to accelerate your DPA review process right away?

Conclusion

The Data Processing Agreement is a central building block of modern data protection and security architectures. A careful review is essential – and yet, in reality, often difficult to carry out.

The combination of:

• Legal requirements
• Technical security requirements
• International regulation
• High speed during tool onboarding

makes DPA reviews one of the most complex tasks in GDPR practice.

An AI-assisted DPA review, based on a lawyer-developed Best Practice Playbook, creates clear advantages here: It standardises, accelerates and objectifies the review, reduces the error rate and delivers reproducible results – both for individual reviews and for scalable review processes in day-to-day business.

‍

‍