Which third-party services on my website need a DPA under Article 28 GDPR?

Any service that processes personal data on your behalf. This typically includes the hosting provider, the email service, the analytics tool, the payment processor, the CRM, the customer-support chat, the form builder, the backup service and the email marketing platform. The test is not whether the service is large or paid. It is whether the service handles personal data on your instructions. A free analytics tool used on a private blog still needs a DPA.

What is the difference between a controller and a processor?

The controller decides the purposes and means of the processing. The processor processes personal data only on documented instructions from the controller. A web shop is the controller, its payment processor is a processor. A clinic is the controller, its appointment-booking SaaS is a processor. Some services are joint controllers under Article 26 when they share decision-making about the processing. The contract obligations are similar in spirit but more complex in detail.

What if a vendor refuses to sign my DPA?

Reputable vendors offer their own standard DPA, often called a Data Processing Addendum or Data Protection Addendum. You should accept theirs and archive the dated acceptance. A vendor that has no DPA at all is not GDPR-compliant and using them creates risk that the controller has to absorb. The pragmatic answer is to replace the vendor. The formal answer is that you cannot lawfully transfer personal data to them.

Does Article 28 require a DPA before processing starts or is signing later acceptable?

Article 28(3) requires the contract to be in place before processing begins. A retrospective DPA does not cure prior non-compliance. Supervisory authorities have fined controllers that engaged a processor and only put the contract in place after a data subject complaint surfaced the gap.

GDPR & Privacy

Data Processing Agreement (DPA): Article 28 GDPR Guide

Q: Are the Commission's Standard Contractual Clauses for processors mandatory?

No. Implementing Decision 2021/915 of the European Commission adopted SCCs for controller-to-processor contracts that satisfy Article 28(3) and (4). Using them is one way to comply, not the only way. A bespoke DPA that covers all eight mandatory subjects in Article 28(3) is equally valid. Many enterprise vendors use their own DPA that maps to Article 28(3). Some smaller vendors prefer the Commission template because it removes the drafting effort.

Steven | TrustYourWebsite · 14 May 2026 · Last updated: May 2026

A Data Processing Agreement (DPA) is the contract that GDPR Article 28 requires between a controller and a processor. Without it, transferring personal data to a third-party service is unlawful regardless of how trustworthy the service is. The DPA is the legal scaffolding that turns "we trust this vendor" into "we are GDPR-compliant in our use of this vendor".

This guide covers when a DPA is needed, the eight subjects every DPA must address, how to recognise a compliant vendor offering, what to do when a vendor refuses to provide one and how the European Commission's Standard Contractual Clauses for processors fit in.

Want a quick view of which third-party services your site loads and may need a DPA for? Run a free TrustYourWebsite scan.

The basic test: is this service a processor?

A processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller. Three signals indicate a processor relationship:

The service receives or accesses personal data that the controller has collected
The service processes that data for purposes determined by the controller
The service does not determine its own purposes for that data beyond what the contract permits

Most third-party services that a website connects to are processors. A short list of recurring patterns:

Service category	Processor?	Typical examples
Hosting and CDN	Yes	Vercel, AWS, OVH, Cloudflare
Email service (transactional)	Yes	Resend, Postmark, Brevo, AWS SES
Email marketing	Yes	Mailchimp, MailerLite, Brevo, ActiveCampaign
Analytics	Yes	Google Analytics, Plausible, Matomo Cloud
Payment processor	Yes (often also independent controller)	Stripe, Mollie, Adyen, PayPal
Customer support / chat	Yes	Intercom, Crisp, Zendesk
CRM	Yes	HubSpot, Pipedrive
Form builder	Yes	Typeform, Tally
Backup	Yes	Backblaze, Rewind
Embedded video player	Depends	YouTube acts as independent controller for its own purposes
Social media login	Generally not a processor	OAuth providers are independent controllers

The classification matters because it determines the contract type. Processors need Article 28 DPAs. Independent controllers need Article 26 joint-controller arrangements or simply a documented controller-to-controller relationship.

What Article 28(3) requires the DPA to cover

Article 28(3) GDPR sets out eight subjects that the processor contract must address. A DPA missing any of them is non-compliant on its face, regardless of how strong the rest of the contract is.

#	Required subject	Reference	What to look for in the DPA
1	Subject matter and duration of the processing	Art. 28(3) intro	A description of what the processor does and how long the relationship lasts
2	Nature and purpose of the processing	Art. 28(3) intro	Why the data is processed and the operational character of the processing
3	Type of personal data and categories of data subjects	Art. 28(3) intro	An explicit list (employees, customers, leads etc.) and data categories
4	Obligations and rights of the controller	Art. 28(3) intro	Reciprocal language: controller's right to issue instructions and audit
5	Process only on documented instructions	Art. 28(3)(a)	Explicit clause that covers international transfers too
6	Confidentiality of authorised personnel	Art. 28(3)(b)	Statement that processor staff are bound by confidentiality
7	Article 32 security measures	Art. 28(3)(c)	Reference to specific TOMs (technical and organisational measures), often in an annex
8	Sub-processor authorisation and back-to-back obligations	Art. 28(3)(d) + 28(4)	Prior-authorisation mechanism + same protections imposed on sub-processors
9	Assistance with data subject rights	Art. 28(3)(e)	Reasonable assistance with access/erasure/portability requests
10	Assistance with breach notification, DPIAs and prior consultation	Art. 28(3)(f)	Notification within a stated SLA + DPIA support
11	Return-or-delete at end of services	Art. 28(3)(g)	Controller's choice between return and deletion at termination
12	Audit and information rights	Art. 28(3)(h)	Audit clause + duty to provide compliance information

If you cannot find each of these in the DPA you signed, you do not have a compliant DPA.

How reputable vendors structure their DPAs

Most enterprise vendors offer a single click-to-accept DPA that incorporates the eight subjects above. The acceptance is then recorded in the account audit log. Workflow varies by vendor:

Stripe: Data Processing Addendum accepted from the Stripe Dashboard under Settings > Compliance. Effective immediately upon acceptance.
Google Workspace / Google Analytics: Data Processing Amendment auto-accepted on account creation. Specific terms link from the admin console.
Cloudflare: Cloudflare Data Processing Addendum accepted from the dashboard or signed offline by enterprise customers.
Mailchimp / Intuit Mailchimp: DPA available from the Compliance page in the user portal. Click-to-accept.
HubSpot: Data Processing Agreement linked from the customer terms. Auto-accepted with the master subscription agreement.
Notion: Data Processing Addendum accessible from the workspace settings. Click-to-accept for Business and Enterprise plans.

The acceptance event is your proof of compliance. Take a screenshot or download the executed PDF and archive it. Without proof of acceptance, you have no defence against an Article 28 inspection.

What to do when a vendor refuses

Sometimes a small vendor has no DPA at all and refuses to sign one. Three options:

Replace the vendor with one that offers a compliant DPA. Almost always the right move.
Use the Commission's Standard Contractual Clauses for processors (Implementing Decision 2021/915, 4 June 2021) and ask the vendor to sign. Some smaller vendors accept the SCC template because it removes drafting cost.
Stop sending personal data to the vendor. If the function can be performed without personal data (e.g. an internal tool used only with synthetic test data), the obligation does not arise.

What is not an option: continue using a non-compliant vendor in production. Even if no one complains, the inspection risk does not go away. On the contrary, processors with no DPA tend to become the first focus when a controller is inspected for other reasons.

The Commission's Standard Contractual Clauses

Commission Implementing Decision (EU) 2021/915 of 4 June 2021 adopted Standard Contractual Clauses for controller-to-processor contracts that satisfy Article 28(3) and (4). These are different from the Decision 2021/914 SCCs for international transfers. Both share the "SCC" abbreviation but they cover distinct gaps.

When to use the Decision 2021/915 SCCs:

The vendor has no compliant DPA of its own
You want a clean, regulator-recognised baseline
The vendor accepts the template without modification

The SCCs come with annexes that the parties fill in: description of the processing, categories of data and data subjects, technical and organisational measures, list of sub-processors. The annexes are where the contract becomes concrete. The boilerplate clauses are not negotiable.

Sub-processors: chain-of-custody

Article 28(2) requires prior written authorisation of the controller before the processor engages a sub-processor. Most vendor DPAs operationalise this as "general authorisation": the controller authorises the processor's current list of sub-processors and any future additions, with the right to object within a notice period.

Practical implications:

Ask each vendor for their current sub-processor list at onboarding
Subscribe to the sub-processor notification mailing list if the vendor offers one
Document in your record of processing activities the sub-processors involved in each tool
If a vendor adds a sub-processor in a high-risk jurisdiction, evaluate the international transfer mechanism before the change takes effect

Common mistakes

No DPA in place at the start of processing. Adding the DPA after processing has begun does not cure prior non-compliance. Sign before integration, not after.

Click-to-accept lost on staff turnover. The DPA was accepted by a previous administrator and no one knows where the record is. Archive the acceptance event in a place that survives staff changes.

DPA addresses some but not all Article 28(3) subjects. Especially common: missing audit clause, missing sub-processor authorisation, missing return-or-delete clause.

Sub-processor list outdated. The vendor has added three new sub-processors since onboarding and the controller's record of processing activities still shows the original list.

Processor doubles as independent controller for marketing. Some vendors process the controller's data both as processor (for the controller's use of the service) and as independent controller (for their own analytics and product development). The DPA must clearly distinguish. The controller cannot legitimise the second processing on the basis of the Article 28 DPA alone.

Free-tier vendor with no DPA. A small organisation onboards a free analytics or email tool that has no DPA. The free price tag does not exempt the vendor from Article 28. If no DPA is available, the tool cannot be used in production.

Practical onboarding workflow

For each new third-party service that will receive personal data:

Identify the processing role (processor, joint controller, independent controller)
Locate the vendor's DPA in their documentation
Verify the DPA covers the eight Article 28(3) subjects
Accept the DPA and archive proof of acceptance
Note the international transfer mechanism (adequacy, SCCs, BCRs)
Add the vendor to the record of processing activities under Article 30
Add the vendor to the privacy notice recipients list
Subscribe to sub-processor change notifications

For the broader compliance map of which obligations apply to your site, the GDPR compliance checklist and the GDPR website audit checklist cover the controls that surround the DPA. The privacy policy generator helps surface the processor disclosure in the privacy notice.

Final checklist

Inventory of every third-party service that receives personal data
DPA in place for each processor before processing begins
DPA covers all eight Article 28(3) subjects
Proof of acceptance archived and accessible to current staff
Sub-processor list current and reflected in record of processing
International transfer mechanism noted per processor
DPA review scheduled at least annually
Process to evaluate new vendors before procurement, not after

This is technical analysis, not legal advice. For enterprise SaaS contracts with custom processing terms, regulated industries with sector-specific processor rules or active supervisory authority investigations, consult a lawyer who specialises in data protection.

Share this article

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Start free check

UK Website Guides

AI-Built Website Liability Under UK Law

ICO enforces UK GDPR, PECR and Equality Act against the site owner, not Cursor, Lovable or the developer. EU PLD doesn't apply post-Brexit.

GDPR for UK Restaurant Websites: Data, Bookings, and Consent

UK GDPR and PECR for restaurant websites: bookings, email signups, cookies, payment data. ICO guidance with examples.

ICO investigation process: what UK firms can expect

ICO investigation: information notices, 30-day deadlines, formal investigations, fine decisions and appeal routes.

Contact Form GDPR Requirements: Article 13 Compliance

What a GDPR-compliant contact form needs: Article 13 information, the right legal basis (legitimate interest vs precontractual), unchecked boxes, retention.

GDPR compliance for UK businesses: website checklist 2026

GDPR compliance for UK businesses in 2026: nine website obligations under UK GDPR and PECR. Privacy notice, cookie consent, ICO fee, Companies House details.