Skip to content

Managing DPAs under the GDPR

Image of Budi Voogt
Budi Voogt May 25, 2026

You probably recognize this. You onboard a new supplier, someone emails over a data processing agreement, you skim it, sign it, and put the file in a folder you never open again. At that moment it feels as if you are done. And that is exactly where things go wrong, because signing is the easy part. The real work starts afterwards: keeping that agreement current while subprocessors change, reviews slip, and the legal basis for transfers shifts under your feet.

I often see teams treat their data processing agreements as a checkbox moment rather than a living file. That is understandable, because nobody has a calendar entry to reassess a hosting provider's security appendix fourteen months from now. In this guide, I will walk you through what a data processing agreement is, what you need to track for each agreement, why they quietly become outdated, and how to turn them into one clear overview.

This is practical guidance, not legal advice. Put your own situation to a qualified privacy professional.

After reading this guide, you will know:

  • What a data processing agreement (DPA) is and when the GDPR requires one.
  • Which data you need to track for each agreement to remain demonstrably compliant.
  • Why data processing agreements become outdated in practice without anyone noticing.
  • How to build one searchable source of truth and put the important dates on a schedule.

What a data processing agreement is

A data processing agreement, often abbreviated as DPA, records how a processor, the supplier, processes personal data on your behalf as the controller. Think of your CRM, email tool, payroll software, or hosting provider. As soon as such a party touches personal data for you, the GDPR, Article 28, requires you to document this in writing.

The reason is simple. You determine the purpose and means of the processing, so you remain responsible, even when someone else actually manages the data. Without an agreement, both sides take a risk: you cannot show that your supplier is bound by clear commitments, and the supplier does not know where its obligations end. The agreement records, among other things, which data is processed, for what purpose, which security measures apply, and what happens when the cooperation ends.

That is the theory. In practice, a signed agreement is only the starting point, and that is where I want to focus most of the attention.

Professional reviewing a contract overview in a bright office

What to track for each DPA

Most problems do not arise at signing, but months later. A data processing agreement is full of obligations that only come into play in the future, and they do not announce themselves. I recommend recording the same set of data for every agreement, so your portfolio remains comparable.

What you trackWhy it matters
The supplier and the main contractThis links the DPA to the service it relates to, so it does not become detached from its context.
Review dateWhen you need to reassess the security measures, before they quietly become outdated.
Subprocessor list and objection windowWho is allowed, and how many days you have to object to a new addition.
Audit rightsWhat you are entitled to, and how often you can exercise that right.
Transfer mechanismWhat transfers outside the EEA rely on, for example standard contractual clauses, and whether that still covers your real data flows.
Termination and deletion periodsWhat happens to the data when the cooperation ends, and within which deadline.

The useful thing about these fields is that they are all concrete and checkable. You do not need to be a lawyer to track that a review date is approaching or that an objection window is about to close. You just need to make sure the information is somewhere you can find it, rather than buried on page eleven of a PDF.

Why data processing agreements expire

I call it expiring, although there is usually no end date. What happens is more subtle: the agreement remains formally valid, but no longer reflects reality. That happens in a few predictable ways.

Subprocessors change

Almost every supplier uses other parties itself, and that list changes. If you receive a notice that a subprocessor is being added and you miss the objection window, you have silently accepted that party. Sometimes that is fine, but you have still allowed a new party access to your data without making a conscious choice.

Reviews slip

A periodic review of security measures sounds obvious, until you notice that nobody schedules it. It is exactly the type of task that sits idle because it belongs to nobody personally. A year later, you no longer know whether the commitments still match how the supplier works today.

The transfer basis becomes outdated

The legal basis for transfers outside the European Economic Area has changed repeatedly in recent years. A mechanism that was once properly arranged can now be outdated without anything happening on your side. This is one of the quieter risks, because it takes place completely outside your field of view.

If you want to look more closely at this type of dormant obligation, I previously wrote about the hidden risks in contract management, where much of the same dynamic applies.

Build one source of truth

The solution is less complicated than the problem. The core idea is that every data processing agreement sits in one place, searchable, linked to the right supplier, with the key dates extracted instead of hidden inside a document. If a regulator or customer asks for your DPA with party X and wants to see that it is current, the answer is one search away instead of half an afternoon of digging.

That is what Contracko's data processing agreement management is built for. You store each DPA alongside the contract it relates to, with review dates, subprocessor conditions, and transfer obligations in structured fields. Contracko runs on EU infrastructure, with encryption and role-based access, and the AI providers that perform the analysis do not train on your contracts. For a privacy file, I do not see that as a detail but as a requirement.

What I like about this approach is that the work you already do, namely reading the information in an agreement, is no longer lost the moment you close the file. AI contract analysis extracts the relevant fields and puts them in your repository, so the whole supplier portfolio fits into one overview. I explain how that kind of AI works in practice in my article about legal AI.

Put the dates on a schedule

A source of truth only really helps when it tells you when to act. All expiry moments I mentioned above are essentially dates: review deadlines, objection windows for subprocessors, audit cycles, and revalidation of the transfer mechanism. Each of them should trigger a reminder for the right owner, with enough lead time to do something about it.

If you want to see this work on a single agreement before tackling your whole portfolio, the DPA reminder tool is a good starting point. You upload a data processing agreement, the AI extracts the review dates, subprocessor windows, and audit rights, and you get a proposed reminder schedule back. Across your full supplier portfolio, exactly that discipline, every date tracked and every owner reminded on time, is what keeps a portfolio compliant rather than merely signed.

Setting this up does not have to be a large project. With the contract repository, automatic data extraction, reminders, reporting, and calendar integration, the foundation is in place quickly, and you can try it calmly during the free trial. For the broader picture around GDPR compliance, DPA management fits the same approach: visibility and timely action rather than a stack of signed files.

How this differs by sector

Not every supplier portfolio looks the same. A healthcare provider processes special categories of personal data and therefore needs sharper commitments and tighter reviews; I wrote separately about that in contract management for healthcare providers. A fast-growing software company, by contrast, has many more suppliers and therefore many more subprocessors to keep an eye on. The method stays the same, but the volume and sensitivity determine how much structure you really need.

The cost side also matters in that decision. It pays to look in advance at what a tool costs compared with the manual work it removes, and I previously gave an overview of that in SaaS contract management and costs.

Getting started

If you want to do one thing today, start small: take the three suppliers that process the most sensitive data, find their data processing agreements, and record the review date, subprocessor policy, and transfer mechanism for each one. You will probably find that you do not have a current answer for at least one of them, and that is exactly why this work is worth doing.

After that, you can broaden the approach through Contracko's solutions and map the rest of your portfolio in the same way. I am happy to help. Feel free to send me a message if you get stuck or want to think through how to set this up for your situation. I read and answer those emails myself.

Get started with Contracko

Take the hassle out of contract and subscription management. Contracko empowers you to stay organized, on time, and in control. Start simplifying today.

ennldefresitpt