Practical guide
How to make a Data Processing Agreement (DPA)?
Short answer
- 1Go to 4mycontracts.net and select the GDPR / DPA category.
- 2Fill in controller and processor details.
- 3Define processing purpose, data categories, and retention period.
- 4Add security measures and list authorized sub-processors.
- 5Sign electronically and send the DPA to both parties.
What the law says
- GDPR Art. 28 — written contract mandatory between controller and processor.
- GDPR Art. 32 — technical and organizational security measures required in DPA.
- GDPR Art. 46 — standard contractual clauses for transfers outside the EU.
- Romanian Law 190/2018 — GDPR transposition and applicable penalties.
- eIDAS Regulation (910/2014) — electronic signature validity on DPA documents.
Practical examples
- DPA between a digital marketing agency and its SaaS client for managing email lists.
- Processing agreement between a private hospital and its HIS software vendor accessing medical records.
- DPA between an online store and a payment processor storing card data.
- Controller-processor contract between an HR firm and an external cloud payroll platform.
Common mistakes
- Missing explicit list of authorized sub-processors — invalidates the DPA under Art. 28.
- Unspecified data retention period — direct GDPR obligation left uncovered.
- DPA signed after data processing has started, not before — ANSPDCP fine risk.
- Generic security clauses copy-pasted without reflecting actual technical measures in place.
How 4mycontracts helps
- DPA template pre-structured per GDPR Art. 28, with all mandatory sections included.
- Dedicated field for sub-processor list — prevents the omission most penalized by data protection authorities.
- Integrated qualified electronic signature — legally valid DPA without printing or scanning.
- Automatic template updates when GDPR legislation or supervisory authority decisions change.
- Centralized archive of all active DPAs — fast GDPR audit trail for any inspection.
See also:
Archive & compliance →