Does this tool produce a binding determination?

No. It applies GDPR Articles 28, 26, and 4 and the EDPB Guidelines 07/2020 to your answers and returns a structured assessment. Whether a party is a controller, a processor, or a joint controller is a functional judgement for your organisation and its DPO or legal counsel, and the label a contract uses does not settle it (Article 28(10)). When the roles are unclear, document the facts and take advice.

What is a data processing agreement (DPA)?

A DPA is the written contract Article 28(3) requires whenever a controller uses a processor to process personal data on its behalf. It binds the processor to act only on the controller's instructions and to meet the mandatory obligations listed on this page, including security, confidentiality, sub-processor controls, assistance with data-subject rights, and deletion or return of the data at the end of the services. It is sometimes called a data processing addendum or an Article 28 agreement.

When is a DPA required?

Whenever one organisation processes personal data on behalf of, and on the documented instructions of, another: the controller-processor relationship in Article 28. A typical example is a company (controller) using a SaaS vendor, payroll bureau, analytics provider, or hosting company (processor) that handles personal data to deliver its service. The DPA must be in place for that processing.

Do two companies that share data always need a DPA?

No. If each company independently decides its own purposes for the data, they are separate controllers and Article 28 does not require a DPA between them, though a controller-to-controller data sharing agreement is good practice. If they jointly decide the purposes and means, they are joint controllers and need an Article 26 arrangement instead of a DPA. A DPA is specifically for the controller-processor relationship.

What is the difference between a DPA and a joint-controller (Article 26) arrangement?

A DPA (Article 28) governs a controller-processor relationship, where the processor acts only on the controller's instructions. An Article 26 arrangement governs joint controllers, who together decide the purposes and means of processing; it allocates their respective GDPR responsibilities, in particular for data-subject rights and the Articles 13 and 14 transparency duties, and its essence must be made available to data subjects. They are different instruments for different relationships.

Does my processor need DPAs with its sub-processors?

Yes. A processor may engage a sub-processor only with the controller's prior authorisation (specific or general) under Article 28(2), and must impose the same data-protection obligations on the sub-processor by contract under Article 28(4). The original processor stays fully liable to the controller for the sub-processor's performance.

We transfer data outside the EU/EEA. Does that change the contract?

It adds an obligation rather than replacing the DPA. You still need the Article 28 contract for the controller-processor relationship, and on top of it Chapter V requires a valid transfer mechanism (such as an adequacy decision or standard contractual clauses) and, where appropriate, a transfer impact assessment. Our Cloud Act and Schrems II exposure analyzer assesses transfer exposure in more depth.

Free tool

GDPR DPA necessity checker

Answer six questions to see whether a data sharing arrangement needs a data processing agreement (a DPA, the Article 28(3) contract), a different instrument, or none at all. The answer turns on the roles of the parties: controller and processor, joint controllers, or independent controllers. Based on GDPR Articles 28, 26, and 4 and EDPB Guidelines 07/2020. A structured assessment, not legal advice.

Based on GDPR Articles 28, 26, and 4 and EDPB Guidelines 07/2020 on controller and processor.

Primary sources

Jurisdiction: EU/EEA. Instrument: Regulation (EU) 2016/679 (GDPR), Articles 28, 26, and 4, as in force on the dates below and extended to the EEA.

Regulation (EU) 2016/679 (GDPR), Articles 28, 26, and 4 (EUR-Lex) (Last verified 2026-06-07)
EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, version 2.0, adopted 7 July 2021 (Last verified 2026-06-07)

Frequently asked questions

Does this tool produce a binding determination?: No. It applies GDPR Articles 28, 26, and 4 and the EDPB Guidelines 07/2020 to your answers and returns a structured assessment. Whether a party is a controller, a processor, or a joint controller is a functional judgement for your organisation and its DPO or legal counsel, and the label a contract uses does not settle it (Article 28(10)). When the roles are unclear, document the facts and take advice.
What is a data processing agreement (DPA)?: A DPA is the written contract Article 28(3) requires whenever a controller uses a processor to process personal data on its behalf. It binds the processor to act only on the controller's instructions and to meet the mandatory obligations listed on this page, including security, confidentiality, sub-processor controls, assistance with data-subject rights, and deletion or return of the data at the end of the services. It is sometimes called a data processing addendum or an Article 28 agreement.
When is a DPA required?: Whenever one organisation processes personal data on behalf of, and on the documented instructions of, another: the controller-processor relationship in Article 28. A typical example is a company (controller) using a SaaS vendor, payroll bureau, analytics provider, or hosting company (processor) that handles personal data to deliver its service. The DPA must be in place for that processing.
Do two companies that share data always need a DPA?: No. If each company independently decides its own purposes for the data, they are separate controllers and Article 28 does not require a DPA between them, though a controller-to-controller data sharing agreement is good practice. If they jointly decide the purposes and means, they are joint controllers and need an Article 26 arrangement instead of a DPA. A DPA is specifically for the controller-processor relationship.
What is the difference between a DPA and a joint-controller (Article 26) arrangement?: A DPA (Article 28) governs a controller-processor relationship, where the processor acts only on the controller's instructions. An Article 26 arrangement governs joint controllers, who together decide the purposes and means of processing; it allocates their respective GDPR responsibilities, in particular for data-subject rights and the Articles 13 and 14 transparency duties, and its essence must be made available to data subjects. They are different instruments for different relationships.
Does my processor need DPAs with its sub-processors?: Yes. A processor may engage a sub-processor only with the controller's prior authorisation (specific or general) under Article 28(2), and must impose the same data-protection obligations on the sub-processor by contract under Article 28(4). The original processor stays fully liable to the controller for the sub-processor's performance.
We transfer data outside the EU/EEA. Does that change the contract?: It adds an obligation rather than replacing the DPA. You still need the Article 28 contract for the controller-processor relationship, and on top of it Chapter V requires a valid transfer mechanism (such as an adequacy decision or standard contractual clauses) and, where appropriate, a transfer impact assessment. Our Cloud Act and Schrems II exposure analyzer assesses transfer exposure in more depth.

By ISMS Copilot. Based on GDPR Articles 28, 26, and 4 and EDPB Guidelines 07/2020 on controller and processor.

Ready to do compliance work faster?

Built for speed, accuracy, and audit-ready output.

Try ISMS Copilot 2.0