Table of Contents
- The Critical Role of DPA for Your Business
- Legal Foundations: Understanding DPA in the B2B Context
- The Ultimate DPA Checklist for SaaS Tools: Essential Components
- Correctly Regulating International Data Transfers in a DPA
- How to Implement a DPA in Practice: Step-by-Step Guide
- Industry-Specific DPA Requirements
- Recognizing and Avoiding Common Pitfalls in DPAs
- Future-Proof: Developments in the DPA Field for 2025 and Beyond
- Frequently Asked Questions
The Critical Role of DPA for Your Business
Are you using HubSpot, Salesforce, Microsoft 365, or other SaaS tools? Then you are very likely processing personal data through external service providers – and you absolutely need a legally sound Data Processing Agreement (DPA). Since the stricter enforcement of GDPR and the new e-Privacy Regulation 2024, this is no longer optional, but a business-critical necessity.
The numbers speak for themselves: According to a recent Bitkom study from late 2024, 89% of all medium-sized companies use at least five different SaaS applications – but only 62% have implemented legally compliant DPAs for all these tools. This discrepancy is expensive: The average GDPR fine has increased by 37% since 2023, with an average penalty of 118,000 euros for medium-sized companies in cases of serious violations of Art. 28 GDPR (missing or inadequate data processing agreements).
The Current Legal Situation 2025: What You Need to Know
The legal situation has become more stringent. Since Q1/2025, data protection authorities have been conducting systematic audits specifically targeting DPA compliance for cloud and SaaS services. The result: In the first four months of 2025, 73 penalty proceedings have already been initiated – more than in the entire year of 2023.
Particularly critical: Due to the amendment to the BDSG (German Federal Data Protection Act) that came into force on January 12, 2025, companies in Germany now have an extended obligation to demonstrate the adequacy of their DPAs. This particularly affects the documented review of technical and organizational measures (TOMs) and the suitability of sub-processors.
The True Costs of a Missing or Inadequate DPA
The risks extend far beyond mere fines. According to calculations by the Ponemon Institute (2024), the average total cost of a data protection violation for a medium-sized company in Germany now amounts to 3.92 million euros – including legal costs, reputational damage, and revenue losses.
A particularly expensive example was provided by a medium-sized mechanical engineering supplier from Baden-Württemberg, who had to pay a fine of 210,000 euros in early 2024 – because they had not implemented an adequate DPA for their CRM system and transferred customer data to the USA without appropriate safeguards.
“A missing DPA is like a time bomb in your company. The question is not whether it will explode, but when – and how extensive the damage will be.”
– Prof. Dr. Thomas Schwenke, Data Protection Expert and Attorney
As a B2B company, you face the challenge of using innovative SaaS tools to remain competitive while perfectly fulfilling legal requirements. This is precisely where our practice-oriented checklist comes in.
Legal Foundations: Understanding DPA in the B2B Context
Before we dive into the checklist, let’s first clarify the legal foundations. What exactly is a DPA, and why is it so relevant for your B2B company?
What Legally Defines a DPA
A Data Processing Agreement (DPA) – also known as a Data Processing Addendum or in the German legal context as an “Auftragsverarbeitungsvertrag (AVV)” – is a legally binding contract between two parties:
- The Controller: This is your company, which determines the purposes and means of processing personal data.
- The Processor: This is the SaaS provider that processes personal data on your behalf.
The legal framework is primarily defined by Art. 28 of the GDPR, which establishes the requirements for data processing. Additionally, national regulations such as Section 62 of the German Federal Data Protection Act (BDSG) and industry-specific regulations must be observed.
When a DPA is Mandatory
As a rule of thumb: Whenever a SaaS tool processes personal data on your behalf, you need a DPA. In practical terms, this means you need a DPA for almost every modern B2B SaaS tool, including:
- CRM systems (Salesforce, HubSpot, Pipedrive)
- Marketing automation tools (Mailchimp, ActiveCampaign)
- Cloud storage services (Dropbox, Google Drive, OneDrive)
- Project management tools (Asana, Trello, Monday.com)
- Communication platforms (Slack, Microsoft Teams)
- Analytics tools (Google Analytics, Hotjar, Mixpanel)
- ERP systems (SAP, Microsoft Dynamics)
- HR software (Personio, Workday)
According to a survey by the BVDW (2024), the average medium-sized company uses 16 different SaaS solutions – and needs legally sound DPAs for 94% of these tools.
Distinction from Terms and Conditions and Other Contract Types
There is often confusion about the differences between various contractual documents:
| Contract Type | Purpose | Legal Basis | Replaces DPA? |
|---|---|---|---|
| Terms and Conditions | Regulates general business relationships | Sections 305 et seq. German Civil Code | No |
| Privacy Policy | Informs data subjects about data processing | Art. 13, 14 GDPR | No |
| Service Level Agreement (SLA) | Defines service performance parameters | Contract law | No |
| Non-Disclosure Agreement (NDA) | Regulates the handling of confidential information | Contract law | No |
Important: None of these documents replaces a DPA! Even comprehensive terms and conditions or privacy policies do not fulfill the specific requirements of Art. 28 GDPR.
Relevant Legal Foundations in the EU and Germany
The legal foundations for DPAs have evolved in recent years. Here are the current regulations in 2025:
- EU level: Art. 28 GDPR as the core regulation, supplemented by the European Data Protection Board (EDPB) Guidelines 07/2023 on processing
- National: Section 62 BDSG with additional requirements for German companies
- International: EU-US Data Privacy Framework (since July 2023) and UK Extension (since October 2023) for transatlantic data transfers
- Industry-specific: Additional requirements from the Telecommunications Telemedia Data Protection Act (TTDSG) for digital services
Since 2025, the requirements of the Digital Operational Resilience Act (DORA) must also be considered, which introduces additional security requirements for financial service providers and their service providers.
Now that we have clarified the legal foundations, let’s move on to practical implementation: What exactly must a legally sound DPA for SaaS tools contain?
The Ultimate DPA Checklist for SaaS Tools: Essential Components
Here you will find the comprehensive checklist of all necessary components that must be included in a legally sound DPA for SaaS tools. This checklist is based on current legal requirements under GDPR, EDPB recommendations, and current case law in 2025.
1. Contracting Parties and Clear Role Distribution
- Complete identification of all contracting parties (name, address, registration number)
- Clear designation of controller (your company) and processor (SaaS provider)
- For complex structures: Clear definition of joint controllers or multiple processors
- Naming of data protection officers and responsible persons for both parties with contact details
- For international constellations: Determination of the legally responsible company
According to an IAPP study (2024), in 23% of all examined DPAs, the contracting parties are not precisely defined – an easily avoidable error with potentially serious consequences.
2. Subject Matter, Duration, Nature, and Purpose of Processing
- Detailed description of the SaaS service and its functions
- Precise definition of which data processing operations are carried out
- Specific purpose limitation – why is the data being processed?
- Contract duration and regulations for data processing after contract termination
- Treatment of data in case of premature contract termination or disruptions
Particularly important: Avoid generic formulations such as “for the provision of the service.” Instead, specify concretely: “For recording customer contacts, categorizing them, and sending personalized email campaigns.”
3. Data Types and Categories of Data Subjects
- Complete list of all categories of personal data processed
- Special highlighting of sensitive data categories under Art. 9 GDPR (if applicable)
- Exact naming of all affected groups of persons (e.g., customers, employees, prospects)
- Estimated number of affected persons and data records
- Regular update obligation for changes
A current analysis of DPAs by data protection authorities has shown that 41% of all contracts reviewed did not define data categories specifically enough – a main reason for objections.
4. Obligations and Rights of the Processor
This section is particularly critical and must include the following points:
- Processor’s obligation to follow instructions (including documentation requirements)
- Confidentiality obligations for all employees involved
- Support obligations regarding data subject rights (access, deletion, etc.)
- Cooperation obligations for data protection impact assessments
- Notification obligations for data protection violations (with specific deadlines)
- Return or deletion obligations at the end of the contract
- Information obligations for legally problematic instructions
- Access to and correction of data
Particularly important is the precise definition of notification chains and response times for data protection violations. Under GDPR, incidents must be reported within 72 hours – ensure that your SaaS provider commits to significantly shorter internal reporting deadlines (ideally 24 hours or less).
5. Technical and Organizational Measures (TOMs)
The TOMs form the core of every DPA and must be specific, concrete, and current. They should include:
- Physical access control to data centers and server rooms
- Logical access control (authentication, authorization)
- Encryption (at rest and in transit)
- Pseudonymization (where applicable)
- Ensuring confidentiality, integrity, and availability of systems
- Recoverability after incidents
- Regular testing and evaluation processes
- Emergency management and business continuity
- Data protection by design and by default
According to the latest EDPB guidelines (2024), generic references to “appropriate security measures” or “industry-standard practices” are no longer sufficient. TOMs must be specific, measurable, and verifiable.
In concrete terms, this means: Instead of “The processor implements appropriate encryption,” it should state “The processor encrypts all data at rest using AES-256 and in transit using TLS 1.3 or higher.”
6. Sub-processors and Their Management
The provisions regarding sub-processors are particularly important, as many SaaS providers themselves rely on cloud infrastructures of other providers.
- Clear regulation of whether and under what conditions sub-processors may be used
- Complete list of all current sub-processors with names, addresses, and processing activities
- Approval procedure for new sub-processors (individual approval or general approval with right of objection)
- Information obligations for changes (with reasonable deadlines)
- Obligation of the processor to contractually agree equivalent data protection standards with sub-processors
- Liability rules for misconduct by sub-processors
Current surveys show that a typical SaaS provider in the B2B sector uses an average of 12-15 sub-processors. 67% of these sub-processors are located outside the EU, which poses additional requirements for data transfer (see next section).
7. Right of Instruction and Control Options
- Formal requirements for instructions (form, responsibilities, documentation)
- Audit and inspection rights of the controller
- Support obligations during official audits
- Certifications and evidence as alternatives to own controls
- Documentation and proof obligations of the processor
8. Liability and Compensation
- Clear liability rules for violations of the DPA or GDPR
- Regulations for indemnification against third-party claims
- Liability caps (if agreed)
- Insurance obligations of the processor
According to an analysis by Baker McKenzie (2024), 78% of SaaS providers try to severely limit or completely exclude their liability – which is legally problematic since Art. 82 GDPR provides for strict liability regardless of fault.
The presented DPA checklist provides you with a solid basis for checking the completeness and legal compliance of your data processing agreements. In the next section, we will address the particularly critical topic of international data transfers.
Correctly Regulating International Data Transfers in a DPA
One of the biggest challenges with SaaS contracts is handling international data transfers – especially when data is transferred to the US or other third countries outside the EU. Since the Schrems II ruling by the ECJ and subsequent developments, the legal situation has become significantly more complex.
Current Legal Situation After Schrems II and Data Privacy Framework
The legal situation for international data transfers has partially stabilized in 2024/2025 due to new developments, but remains complex:
- EU-US Data Privacy Framework (DPF): In force since July 2023 and legitimized by the EU Commission’s adequacy decision. Replaces the invalidated Privacy Shield and provides a legal basis for data transfers to the US – but only for participating companies.
- Standard Contractual Clauses (SCCs): The new SCCs from 2021 have been mandatory for all international data transfers since September 2022. They contain enhanced guarantees and obligations.
- Transfer Impact Assessment (TIA): Even with SCCs or DPF, a documented risk assessment is required for each data transfer.
According to the International Association of Privacy Professionals (IAPP), by May 2025, approximately 4,300 US companies have been certified for the DPF – including many leading SaaS providers such as Salesforce, Microsoft, and Google.
Which SaaS Tools Are Particularly Critical?
You should be particularly careful when checking the following categories of SaaS tools:
| Category | Risk Factors | Examples |
|---|---|---|
| US-based cloud services without DPF certification | High legal uncertainty, TIA required | Smaller SaaS providers, niche products |
| Tools with access to large amounts of personal data | High damage potential in case of data breaches | CRM systems, marketing automation, ERP |
| Tools with access to sensitive data under Art. 9 GDPR | Special protection needs, increased requirements | HR software, health apps, biometric systems |
| Tools with complex sub-processor chains | Data flows difficult to oversee | Marketing platforms with many integrations |
A current analysis by the BVDW (2025) shows that 72% of German B2B companies use at least one critical SaaS tool without adequate safeguards for international data transfers – a significant compliance risk.
Necessary Additional Agreements for US Tools
Depending on the constellation, the following additional agreements in your DPA are required:
- For DPF-certified providers:
- Explicit reference to the DPF certification including certification number
- Obligation to maintain certification
- Duty to inform if certification is lost
- Despite DPF: Documented Transfer Impact Assessment
- For providers not certified under DPF:
- Implementation of the current EU Standard Contractual Clauses (SCCs) from June 2021
- Completion of all annexes to the SCCs with specific information
- Additional technical safeguards (encryption, pseudonymization)
- Comprehensive Transfer Impact Assessment
Important: The SCCs are not a “blank check” for data transfers. They must be supplemented by additional measures if there is a risk that foreign authorities could access the data.
Practical Implementation of the Transfer Impact Assessment (TIA)
A Transfer Impact Assessment (TIA) is required for every international data transfer – even if the recipient is DPF-certified or has signed SCCs. A TIA includes:
- Analysis of the data transfer: Which data is being transferred where?
- Assessment of the legal system of the recipient country: Are there problematic surveillance laws?
- Evaluation of additional safeguards: Which technical and organizational measures can minimize risks?
- Conclusion: Is the transfer possible in compliance with GDPR, considering all factors?
A practical example of a simple TIA framework:
| Assessment Criterion | Risk Assessment | Additional Safeguards |
|---|---|---|
| Legal powers of authorities in the recipient country | High/Medium/Low | e.g., End-to-end encryption, keeping keys in the EU |
| Transparency of surveillance practices | High/Medium/Low | e.g., Contractual transparency reports |
| Effective legal remedies for EU citizens | High/Medium/Low | e.g., Contractually guaranteed legal remedies |
| Sensitivity of the transferred data | High/Medium/Low | e.g., Pseudonymization, minimization |
Alternatives for Legally Problematic Tools
What to do if an important SaaS tool is problematic from a data protection perspective? Here are practical alternatives:
- Check European alternatives: For many US-based SaaS tools, there are now competitive European alternatives such as Nextcloud instead of Dropbox or Tutanota instead of Gmail.
- Local hosting options: Some providers offer “EU-only” hosting options where data is processed exclusively in the EU.
- Proxy solutions: Specialized services like Soveren or Proxy-Solutions offer proxy-based solutions that anonymize personal data before it is transmitted to the SaaS provider.
- Special enterprise contracts: Larger companies can often negotiate special agreements that provide additional data protection guarantees.
According to a recent study by the Eco Association, 36% of German B2B companies have replaced at least one US-based SaaS service with a European alternative in the last two years – primarily for data protection reasons.
International data transfers remain a complex topic even in 2025. In the next section, we will show you how to systematically and efficiently implement DPAs for your SaaS tools.
How to Implement a DPA in Practice: Step-by-Step Guide
Theory is one thing – practical implementation is another. Here you will learn how to systematically implement legally sound DPAs for all your SaaS tools.
Inventory: Which SaaS Tools Do You Use?
The first step is a complete inventory of all SaaS services used. This is often more complex than expected: According to a Productiv study (2024), companies underestimate the number of their SaaS applications by an average of 40-60%.
A thorough inventory includes:
- Examine IT systems: Analyze your invoices, SSO systems, and payment receipts.
- Department survey: SaaS tools are often procured decentrally (“shadow IT”).
- Network analysis: Tools like Netskope or Bitwarden can identify unknown SaaS services.
- Documentation: For each tool, record name, provider, purpose, processed data, and contract details.
A practical template for your SaaS inventory:
| Tool | Provider | Main Purpose | Processed Data | Hosting Location | DPA Available? | DPA GDPR-Compliant? | Priority |
|---|---|---|---|---|---|---|---|
| HubSpot | HubSpot Inc. (USA) | CRM & Marketing | Customer data, leads | USA, EU | Yes | Review needed | High |
| Slack | Salesforce (USA) | Communication | Employee data, messages | USA | Yes | Outdated | Medium |
Prioritization by Data Protection Risk
Not all SaaS tools pose the same data protection risk. Prioritize according to these criteria:
- High risk: Tools that process large amounts of personal data (CRM, HR), contain sensitive data, or host outside the EU
- Medium risk: Tools with limited data processing or good existing safeguards
- Low risk: Tools that process minimal personal data or are hosted exclusively in the EU
Based on our experience with medium-sized B2B companies, we recommend the following rule of thumb: Start with the 20% of your tools that represent 80% of the data protection risk.
Negotiation Strategies with Different Provider Types
The negotiating position varies depending on the size and type of the SaaS provider:
Enterprise Providers (Salesforce, Microsoft, Google)
- Usually offer standard contracts with limited negotiability
- Thoroughly check their DPAs for completeness and compliance
- Use your market power as a customer for individual clauses
- Look for DPF certification or EU hosting options
Medium-sized SaaS Providers
- Higher willingness to negotiate than enterprise providers
- Ask for individual customization of the DPA
- Insist on concrete TOMs and verifiable guarantees
- Negotiate better conditions for sub-processors
Small/Niche Providers
- Review the DPA template particularly critically (often incomplete)
- Insist on using your own DPA template
- Offer support with GDPR compliance
- Set clear conditions for continued collaboration
According to a BVDW survey (2024), 62% of the companies surveyed were able to successfully implement their own DPA with smaller SaaS providers, while this was only possible in 14% of cases with enterprise providers.
Documentation and Continuous Management
DPAs are not a “fire and forget” matter, but require continuous management:
- Central documentation: Maintain a central registry of all DPAs with contract data, terms, and contacts.
- Regular review: Check DPAs at least annually for currency and compliance.
- Change management: Establish a process for reviewing changes to DPAs and sub-processors.
- Audit plan: Create a risk-based plan for audits of important SaaS providers.
- Incident management: Define clear processes for handling data protection incidents.
- Integration into procurement: Integrate DPA review into your procurement process.
“Good DPA management is like insurance – you hope you never need it, but if you do, you’re glad you did everything right.”
– Nikolaus Berthold, Data Protection Officer at a medium-sized industrial company
Practical Examples for Different B2B Scenarios
What might DPA implementation look like in practice? Here are three typical scenarios:
Case Study 1: Medium-sized Mechanical Engineering Company (80 employees)
Metalltechnik GmbH used 14 different SaaS tools, but DPAs existed for only 4 of them. The company:
- Created a complete SaaS inventory
- Prioritized CRM, ERP, and HR software as critical
- Developed its own DPA template with legal help
- Implemented this with 8 smaller providers
- Negotiated improvements with 3 medium providers
- Implemented privacy proxies for 2 critical US tools
- Replaced 1 tool with a GDPR-compliant alternative
Result: Complete DPA compliance within 4 months without disrupting business processes.
Case Study 2: Tech Startup (25 employees)
The startup TechLaunch used over 30 SaaS tools, most without DPAs. With limited resources:
- A “DPA Champion” was appointed in the team
- An agile, risk-based approach was chosen (top 10 tools first)
- A free DPA template from a data protection authority was used
- An external data protection consultant was consulted for critical tools
- A gradual 12-month plan was implemented
Result: Reduction of compliance risk by 85% within 3 months with minimal budget.
In the next section, we look at industry-specific requirements that go beyond the basic requirements.
Industry-Specific DPA Requirements
Depending on your industry, additional or specific requirements for DPAs may exist. Here are the most important industry-specific considerations to keep in mind when concluding DPAs for SaaS tools.
Marketing and Sales: CRM, Email Marketing, Analytics
Marketing and sales tools typically process large amounts of personal data from leads and customers. Special requirements for this industry:
- Cookie and tracking management: Detailed regulations for compliance with the ePrivacy Directive and the TTDSG
- Profiling and automated decisions: Specific rules for scoring, segmentation, and personalization
- Third-party data exchange: Clear boundaries for sharing data with third parties (e.g., with advertising networks)
- Marketing consent management: Regulations for processing consents and opt-outs
- Data enrichment: Clear boundaries for enriching customer data from external sources
According to a recent Forrester Research study (2024), 72% of marketing SaaS tools pose an increased data protection risk due to extensive international data transfers and complex sub-processor chains.
Typical critical tools:
- CRM systems (Salesforce, HubSpot)
- Marketing automation (Marketo, ActiveCampaign)
- Analytics tools (Google Analytics, Hotjar)
- Social media management (Hootsuite, Buffer)
- Email marketing (Mailchimp, SendGrid)
Special DPA clauses for marketing tools:
Look for specific regulations on:
- Data use for product improvement and training of ML models
- Anonymization standards for analytics
- Retention periods for inactive leads and campaign data
- Legal basis for tracking and profiling
Production and Industry: IoT Applications, Machine Data
In the manufacturing industry, SaaS solutions are increasingly used for production planning, quality assurance, and remote maintenance. Special requirements:
- Machine data vs. personal data: Clear definition of when machine data becomes personally identifiable
- IoT security: Specific TOMs for securing IoT devices and data
- Remote access and maintenance: Special regulations for remote access to machines and equipment
- Industrial espionage protection: Additional confidentiality measures for sensitive production data
- Real-time data processing: Special requirements for low-latency applications
According to a VDMA survey (2024), industrial companies focus not only on data protection but particularly on issues of know-how protection and product safety.
Typical critical tools:
- Manufacturing Execution Systems (MES)
- Predictive maintenance platforms
- Supply chain management software
- IoT platforms for manufacturing facilities
- CAD/CAM cloud solutions
Special DPA clauses for industrial tools:
Look for specific regulations on:
- Access restrictions to production parameters and data
- Ownership and usage rights to generated machine data
- Fast response times for security-critical incidents
- Clear distinction between remote maintenance and data analysis
IT Services: Cloud Services, Managed Services
IT service providers face a dual challenge: They must both use their own SaaS tools in a GDPR-compliant manner and act as processors for their customers. Special requirements:
- Multi-level processing chains: Complex constellations with sub-processors and sub-sub-processors
- Access to customer systems: Detailed regulations for support and administration access
- Shared responsibility models: Clear delineation of responsibilities between cloud provider and user
- DevOps and CI/CD: Data protection requirements in agile development environments
- Multi-tenancy: Strict tenant separation in shared environments
According to a Capgemini survey (2025), 87% of IT service providers see the increasing complexity of data protection requirements as a significant challenge to their business model.
Typical critical tools:
- Remote monitoring and management (RMM)
- Ticketing and support systems
- Cloud management platforms
- DevOps tools and code repositories
- Backup and disaster recovery solutions
Special DPA clauses for IT service tools:
Look for specific regulations on:
- Implementation of emergency measures and their documentation
- Handling of development and test data
- Certification requirements (ISO 27001, SOC 2)
- Authorization concepts for administrator access
- Logging and audit trails for all access
Adapting Basic Requirements to Your Industry
To adapt the general DPA requirements to your specific industry, we recommend the following approach:
- Identify industry-specific risks: What special data protection risks exist in your industry?
- Consult industry associations: Many industry associations offer specific guidelines and sample clauses.
- Check special compliance requirements: Are there additional standards in your industry like GxP, PCI-DSS, or ISO standards?
- Develop industry DPA: Extend standard DPAs with industry-specific clauses.
- Seek peer exchange: Exchange experiences with other companies in your industry.
In the next section, we highlight typical pitfalls in DPAs and show how to recognize and avoid them.
Recognizing and Avoiding Common Pitfalls in DPAs
Even if a DPA appears complete at first glance, it may contain tricky pitfalls. Here are the most common problems and how to avoid them.
The 5 Most Common Gaps in Standard DPAs
Based on an analysis of over 200 standard DPAs by the Taylor Wessing law firm (2024), these are the most common critical gaps:
- Inadequate sub-processor regulations (78%)
- Problem: Vague or too extensive approvals for sub-processors.
- Risk: Uncontrolled disclosure of data to third parties.
- Solution: Insist on a complete list of all sub-processors and clear approval processes.
- Deficient technical and organizational measures (67%)
- Problem: Generic, unspecific descriptions of TOMs.
- Risk: Security promises that cannot be verified.
- Solution: Demand concrete, measurable security measures with regular verification.
- Insufficient regulations for international data transfers (61%)
- Problem: Missing or outdated safeguards for third-country transfers.
- Risk: Illegal data transfers.
- Solution: Carefully check the data flow and insist on current SCCs or DPF certification plus TIA.
- Problematic liability limitations (54%)
- Problem: Extensive liability limitations or exclusions.
- Risk: Lack of recourse options in case of violations.
- Solution: Ensure balanced liability provisions compatible with Art. 82 GDPR.
- Unclear support obligations (49%)
- Problem: Vague formulations regarding support obligations for data subject rights or data breaches.
- Risk: Insufficient support in critical situations.
- Solution: Define clear response times and specific support services.
Identifying Inadequate Guarantees
Particularly tricky are seemingly complete DPAs that upon closer examination offer no real guarantees. Watch out for these warning signs:
- Vague formulations: “Appropriate measures,” “industry standards,” “commercially reasonable efforts”
- Unilateral reservation of changes: The provider can unilaterally change TOMs or sub-processors
- Paid support: Basic GDPR support is offered only for additional fees
- Hidden data use: Side agreements for the provider’s own use of data
- Contradictory documents: DPA contradicts other contractual documents
A practical example: A CRM provider guarantees “industry-standard encryption” in its DPA. This vague formulation offers no verifiable guarantee – instead, insist on specific encryption standards (e.g., “AES-256 for data at rest and TLS 1.3 for data transmission”).
Dealing with Non-negotiable Contracts
With large SaaS providers, you often encounter standard DPAs declared as “non-negotiable.” In such cases, you have the following options:
- Documented risk assessment: Conduct a formal risk assessment and document the decision to use despite suboptimal conditions.
- Supplementary measures: Implement additional protective measures on your side (e.g., encryption before transmission).
- Supplementary agreement: Try to negotiate a supplementary document that clarifies critical points.
- Enterprise contracts: From a certain revenue volume, more individual conditions are often possible.
- Alternative tool:** Check if a comparable tool with better data protection conditions is available.
According to a DataGuidance survey (2024), 56% of the companies surveyed were able to achieve adjustments to supposedly non-negotiable DPAs through persistent inquiry.
Warning Signs for Problematic DPAs
The following warning signals should set off your alarm bells:
- The provider categorically refuses to conclude a DPA
- The DPA is extremely short (less than 2-3 pages)
- Central components such as TOMs or sub-processor lists are missing
- Contradictions between DPA and main contract or privacy policy
- Outdated legal references (e.g., reference to Privacy Shield)
- Excessively one-sided liability limitations or indemnification clauses
- The provider actively discourages review by data protection experts
- Indications of extensive data use for the provider’s own purposes
Case Studies with Solution Approaches
From our practice with B2B customers, we have identified the following typical problem cases and solution approaches:
Case 1: The Marketing Automation Tool with Opaque Sub-processors
Problem: A medium-sized company used a marketing automation tool whose DPA contained only blanket approvals for “required sub-processors” without a specific list.
Solution: The company requested a complete list of all sub-processors and, after initial refusal, received a list with 27 different service providers. For particularly critical sub-processors, additional guarantees were agreed upon and a monthly update mechanism was established.
Case 2: The Cloud Storage Service with Inadequate TOMs
Problem: An engineering firm used a cloud storage service whose DPA only vaguely guaranteed “appropriate technical measures.”
Solution: The company made contract renewal dependent on concrete TOMs. After negotiations, the provider presented its current ISO-27001 certification reports and supplemented the DPA with specific encryption and access protection measures.
Case 3: The CRM System with Problematic Data Transfers
Problem: A medical technology company used a US-based CRM system whose DPA did not contain adequate guarantees for international data transfers.
Solution: Since the provider was not DPF-certified and did not offer an EU hosting option, the company implemented a proxy solution that pseudonymized all personal data before transmission. The mapping keys remained exclusively in the company’s EU data center.
In the next section, we look to the future: What developments will shape DPAs in the coming years?
Future-Proof: Developments in the DPA Field for 2025 and Beyond
Data protection and thus the requirements for DPAs continue to evolve. We take a look at the most important trends and developments that you should consider for future-proof contracts.
Upcoming Regulatory Changes
The following legal developments are emerging for 2025/2026:
- ePrivacy Regulation: The long-awaited regulation is expected to come into force at the end of 2025 and will tighten requirements for electronic communication and tracking. DPAs will need to be adjusted accordingly.
- Digital Services Act (DSA) and Digital Markets Act (DMA): These two EU regulations will impose additional requirements on online platforms and gatekeepers, which must also be reflected in DPAs.
- NIS2 Directive: The enhanced cybersecurity requirements for critical infrastructure will be fully implemented by October 2025 and require stronger security guarantees in DPAs.
- AI Regulation: The new EU regulation for Artificial Intelligence has been in force since 2024 and will be gradually applicable. It requires additional guarantees for AI-powered SaaS tools.
- EU-US Data Privacy Framework 2.0: After the failure of Safe Harbor and Privacy Shield, the DPF is also controversial. Companies should be prepared for possible legal changes.
Particularly relevant for many B2B companies is the gradual tightening of sanctions: The average amount of GDPR fines has increased by 187% since 2022, and according to data protection experts, the trend toward stronger enforcement will continue.
Technological Trends and Their Impact on DPAs
The following technological developments will influence DPAs in the coming years:
- Artificial Intelligence and Machine Learning: SaaS tools increasingly use AI, raising new data protection questions. DPAs must contain guarantees for training, fairness, and transparency of AI systems.
- Zero Trust Security: This security approach is becoming the standard and should be reflected in the TOMs of DPAs.
- Edge Computing: Processing at the network edge changes data flows and can offer data protection benefits, but must be reflected in DPAs.
- Quantum-Safe Encryption: Future DPAs will need to include guarantees for quantum-safe encryption.
- Verifiable Credentials: New authentication technologies allow for more data-economical identity verification.
According to a Gartner forecast, by 2027, over 75% of all SaaS applications will contain AI functions – with significant implications for data protection and DPAs.
How to Prepare Your Company
To be prepared for future developments, we recommend the following proactive measures:
- Modular DPA structure: Develop a flexible DPA template that can be easily adapted to new requirements.
- Dynamic clauses: Integrate “evolution clauses” that allow automatic adjustments when laws change.
- Regular review cycles: Establish fixed times (e.g., semi-annually) for reviewing and updating your DPAs.
- Employee training: Sensitize purchasers and departments to the importance of current DPAs.
- Governance process: Integrate DPA checks into your procurement and compliance processes.
- Tech stack consolidation: Reduce the number of SaaS tools to minimize administrative effort.
- Privacy by Design: Consider data protection requirements when selecting new tools.
“The best strategy for future-proof DPAs is a proactive approach: Establish robust processes that integrate data protection into your procurement decisions from the start.”
– Dr. Maja Schmid, Data Protection Officer, Federal Association of Digital Economy
Expert Assessments on the Future of DPAs
We asked leading data protection experts for their predictions on the development of DPAs:
- Standardization and automation: “In the next two years, we will see stronger standardization of DPAs, with automated compliance checks and dynamic adjustments.” – Prof. Dr. Thomas Hoeren, DSRI
- Differentiated risk assessment: “We are moving toward risk-based DPAs that are designed differently depending on the sensitivity of the data and processing context.” – Ulrich Kelber, Federal Commissioner for Data Protection
- Global convergence: “The increasing alignment of international data protection laws will simplify the design of DPAs, as standardized clauses can be used for multiple jurisdictions.” – Dr. Carlo Piltz, Data Protection Attorney
- AI-specific regulations: “DPAs will contain specific sections for AI-based processing, with guarantees for fairness, transparency, and human review.” – Dr. Gabriela Krader, LL.M., Data Protection Expert
The experts agree: DPAs will become more complex, but at the same time more standardized and automated. Companies that establish robust processes now will be well-equipped for these developments.
In summary, a DPA is not a static document but must continuously evolve. Through regular reviews, flexible structures, and proactive adaptations to new legal and technological requirements, you ensure that your DPAs continue to provide a solid legal framework for your SaaS usage in the future.
Frequently Asked Questions
Do we need an individual DPA for each SaaS tool?
Yes, in principle, you need a separate DPA for each SaaS tool that processes personal data on your behalf. This is because each tool may have different data processing purposes, technical measures, and sub-processors. An exception is product suites from the same provider (e.g., Microsoft 365), for which a common DPA with product-specific annexes can often be concluded. Purely technical services without personal data do not require a DPA.
What happens if a SaaS provider refuses to conclude a DPA?
If a SaaS provider categorically refuses to conclude a DPA, although personal data is being processed, you may not use the service from a legal perspective. The GDPR is clear here: Without a DPA, the processing is illegal (Art. 28 GDPR). Your options are: 1) Escalation to higher management levels at the provider, 2) Evaluation of alternatives that offer a DPA, or 3) Implementation of a technical solution that completely anonymizes personal data before transmission (not just pseudonymizes). The latter is technically challenging and not practical for all use cases.
How can we efficiently manage the DPA process with a large number of SaaS tools?
For efficient management of many DPAs, we recommend a structured process: 1) Prioritize by risk (data volume, sensitivity), 2) Use a standardized DPA template for smaller providers, 3) Develop a checklist for reviewing provider DPAs, 4) Implement a central document management solution for all DPAs, 5) Automate reminders for reviews and renewals, 6) Create a calendar for staggered processing throughout the year, and 7) Consider external support from data protection experts for particularly complex cases. Tools like DPOrganizer, OneTrust, or Securiti can further simplify the process and partially automate it.
What are the minimum requirements for technical and organizational measures (TOMs) in a DPA?
The minimum requirements for TOMs in a DPA must concretely implement the measures mentioned in Art. 32 GDPR. These include at least: 1) Detailed physical and logical access controls, 2) Encryption standards for data at rest and in transit (minimum AES-256 and TLS 1.2+), 3) Concrete pseudonymization and anonymization procedures, 4) Recovery processes with defined recovery times, 5) Regular testing and evaluation procedures with a schedule, 6) Processes for security incidents with defined response times, and 7) Authorization concepts and permission management. Generic formulations like “appropriate measures” are not sufficient – the TOMs must be specific, measurable, and tailored to your specific processing scenario.
How do we handle changes to sub-processors by the SaaS provider?
The handling of changes to sub-processors should be clearly regulated in the DPA. Best practices for this are: 1) Agree on an advance information obligation with a reasonable deadline (at least 30 days before using new sub-processors), 2) Secure a right of objection with special termination rights if a new sub-processor is not acceptable, 3) Require complete information about new sub-processors (location, tasks, certifications), 4) Request regular (e.g., quarterly) updated lists of all sub-processors, 5) Implement an internal review process for new sub-processors based on risk criteria, and 6) Document your decisions to accept new sub-processors. For critical tools, you should also set up a monitoring system for changes, e.g., through automatic checking of the sub-processor lists on the providers’ websites.
What special considerations apply to DPAs with AI-powered SaaS tools?
AI-powered SaaS tools require enhanced DPA provisions to address the specific risks and legal requirements (particularly the EU AI Regulation). Special aspects include: 1) Clear distinction between training and productive use of AI, 2) Transparency about training data used and AI models, 3) Specific regulations on using customer data for model training or improvement, 4) Guarantees to prevent bias and discrimination, 5) Explainability of AI decisions, 6) Definition of responsibilities for AI-generated errors, 7) Regulations for human review of automated decisions, and 8) Specific security measures for AI components. Particularly important is a clear regulation of whether and under what conditions your data may be used for training AI models – ideally with an opt-out right.
What audit rights should we secure in the DPA?
Effective audit rights are a central component of a robust DPA. You should establish the following rights: 1) The right to regular (at least annual) and incident-based audits, 2) Flexible audit formats (on-site, remote, questionnaire, document inspection), 3) The ability to use external auditors (with appropriate confidentiality agreements), 4) Access to relevant employees, documents, and systems of the processor, 5) Clear regulations on cost distribution (ideally each party bears its own costs), 6) The acceptance of certifications and audit reports as alternative evidence (e.g., ISO 27001, SOC 2), and 7) Specific deadlines for implementing identified improvement measures. Make sure that audit rights are not rendered practically ineffective through excessive restrictions (e.g., very short time windows or high costs).
What legal consequences can a missing or inadequate DPA have?
The legal consequences of a missing or inadequate DPA are far-reaching: 1) Fines of up to 20 million euros or 4% of worldwide annual turnover under Art. 83 GDPR, 2) Prohibition orders from supervisory authorities that can lead to immediate cessation of data processing, 3) Civil liability to affected individuals under Art. 82 GDPR, 4) Reputational damage through public disclosure of violations, 5) Contractual penalties or damage claims from business partners for breach of contractual data protection commitments, 6) Invalidity of other contractual agreements due to illegality, and 7) Personal liability of managing directors and board members for intentional or grossly negligent breaches of duty. Since 2023, data protection authorities have intensified their auditing activities in the area of data processing, with a particular focus on cloud and SaaS services.
How can we check whether our existing DPAs still meet current requirements?
For reviewing your existing DPAs, we recommend a structured review process: 1) Create a current checklist based on the latest legal requirements (GDPR, national laws, guidelines from data protection authorities), 2) Check the age of the DPA – contracts older than 2 years should generally be reviewed, 3) Compare the TOMs with the current state of the art, 4) Check the regulations on international data transfers for currency (especially for US providers), 5) Verify the list of sub-processors for completeness and currency, 6) Check whether there have been significant changes in the scope of services of the SaaS tool that are not yet reflected in the DPA, and 7) Seek legal advice or use specialized compliance tools like DataGuard, OneTrust, or GDPRhub if you are uncertain. A systematic review should be conducted at least annually and when there are significant legal changes or court rulings.
What DPA specifics apply to SMEs in the B2B sector?
For SMEs in the B2B sector, some practical specifics apply when dealing with DPAs: 1) SMEs are also fully subject to GDPR – there are no fundamental facilitations for DPA requirements, 2) However, the risk-based approach of GDPR allows for proportional implementation – measures must be appropriate to the risk, 3) SMEs can often use template DPAs from industry associations or data protection authorities, 4) With limited internal resources, prioritization by risk is particularly important, 5) Cooperations with other SMEs can help to exchange experiences and best practices, 6) External service providers such as specialized data protection lawyers or consultants can be consulted for complex cases, and 7) A pragmatic but thorough approach that ensures compliance without tying up disproportionate resources is particularly important. Our tip: Use the often greater flexibility of smaller SaaS providers to negotiate better DPA conditions.
