Term
Data Processing on Behalf (DPA)
Processing on behalf occurs when a service provider processes personal data for a controller, bound by instructions. The Data Processing Agreement (DPA) under Art. 28 GDPR governs the mandatory terms of this arrangement.
Not legal advice
Data Processing on Behalf (DPA) — explained in more detail
Processing on behalf under Art. 28 GDPR exists when a service provider processes personal data on behalf of and under the instructions of a controller, without deciding on the purposes and means of processing itself. Typical examples are cloud hosting, newsletter dispatch services, external payroll — or cloud-based AI APIs.
The controller determines why and how data is processed and bears primary legal responsibility. The processor acts solely on documented instructions and does not independently decide on the purposes. As soon as a provider pursues its own purposes, it is no longer a processor but itself a controller (possibly joint controllership under Art. 26).
A written (also electronic) Data Processing Agreement (DPA) is mandatory as soon as personal data flows to the provider. Art. 28(3) GDPR defines the mandatory contents. Among other things, the DPA must require the processor to:
- process data only on documented instructions from the controller (lit. a)
- ensure confidentiality of the staff involved (lit. b)
- implement technical and organisational security measures per Art. 32 (lit. c)
- comply with the conditions for engaging sub-processors (lit. d)
- assist in fulfilling data subject rights (lit. e)
- assist with security, breach notification and impact assessment duties, Art. 32–36 (lit. f)
- delete or return the data after the end of the contract (lit. g)
- provide evidence of compliance and allow audits/inspections (lit. h)
A processor may engage sub-processors (Art. 28(4)) only with the controller’s prior authorisation and must impose the same data protection obligations on them by contract; it remains liable to the controller.
A missing or deficient DPA can lead to fines of up to EUR 10 million or 2% of worldwide annual turnover (Art. 83(4) GDPR).
Example / practical relevance
When personal data is written into a prompt while using a cloud LLM API — such as customer names, email addresses or contract data to be summarised — the prompt contents count as personal data and the LLM provider becomes a processor. A DPA is then required.
In practice, API providers offer a Data Processing Addendum (DPA) that functions as a processing agreement under Art. 28. Importantly, such agreements are often tied to commercial API/business tiers — pure consumer plans frequently lack a DPA. Since most major LLM providers are US companies, a third-country transfer (Chapter V GDPR) also applies, which must be safeguarded via standard contractual clauses or a Data Privacy Framework certification.
A low-risk alternative is to anonymise or pseudonymise personal data before handing it to the API (placeholder substitution), so that no personal reference reaches the provider.
Distinction from similar terms
Joint controllership (Art. 26 GDPR) exists when two parties jointly decide on purposes and means — unlike a DPA, where the processor is bound by instructions and pursues no purposes of its own.
Standard Contractual Clauses (SCC) govern data transfers to third countries and are a separate instrument; they do not replace the DPA but complement it for US transfers.
Technical and organisational measures (TOMs) are a substantive component of the DPA (Art. 32), but not a separate contract.
Entdecke mehr
Headless without an API bill — how do you reach the best AI models for automation in 2026?
Provider comparison mid-2026: who has a headless mode, whose subscription still covers it — and why BYOK is the most stable foundation.
GlossarEU AI Act (KI-Verordnung)
Regulation (EU) 2024/1689 is the EU's first comprehensive law on artificial intelligence. It regulates AI systems by risk in four tiers, from prohibited practices to minimal risk, and sets obligations for providers and deployers.
LexikonFunction Calling / Tool Use
How an LLM uses tools: define a tool as a schema, the model picks the function and arguments, the result returns to the chat — the basis of every agent.