TL;DR

A Data Processing Agreement (DPA) is a legally binding contract between a data controller (the organization that decides why personal data is processed) and a data processor (the vendor or service provider that processes data on the controller's behalf). Under GDPR Article 28, a DPA is mandatory before any processor handles personal data - operating without one is a GDPR violation independent of any breach.

What a DPA Means in Practice

The DPA is not optional paperwork - it is a legal prerequisite. GDPR Article 28(3) specifies exactly what a DPA must contain: the subject matter, duration, nature and purpose of processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller. A DPA that omits any of these elements does not satisfy the Article 28 requirement, even if it is signed by both parties.

The controller-processor relationship in recruitment is layered. A company hiring through a staffing agency is the controller. The staffing agency may be a processor (if acting purely on the company's instructions) or a joint controller (if the agency makes independent decisions about candidate data). The agency's ATS vendor is typically a sub-processor. Each link in this chain requires a DPA. The agency must ensure its ATS vendor's DPA flows down the same obligations the agency accepted from its client.

Sub-processing is the area where most compliance failures occur. GDPR Article 28(2) requires processors to obtain controller authorization before engaging sub-processors. Some DPAs grant general authorization (the processor can use any sub-processor as long as they notify the controller), others require specific authorization per sub-processor. Enterprise clients increasingly demand specific authorization and a maintained list of approved sub-processors. Any change to the sub-processor list requires notice, and the controller has the right to object.

DPAs must also address international data transfers. If a processor uses cloud infrastructure or sub-processors outside the EEA, the DPA needs to incorporate the appropriate transfer mechanism - EU Standard Contractual Clauses (SCCs), an adequacy decision, or Binding Corporate Rules. Since the Schrems II decision in 2020, transfer impact assessments (TIAs) are also required for transfers to countries without adequacy decisions, including the US in many interpretations.

Why DPAs Matter for Recruitment Teams

Regulators fine for missing DPAs, not just for breaches. The Danish DPA (Datatilsynet) fined ID Finance Denmark in 2021 for processing personal data without valid DPAs with its data processors. The Swedish DPA has issued fines to health sector organizations for the same issue. The fines for missing DPAs are typically smaller than breach-related fines, but they are easily avoidable and represent pure compliance risk - there is no legitimate business reason to operate without a DPA.

For staffing agencies, the client relationship adds contractual risk on top of regulatory risk. Enterprise clients include DPA requirements in their MSAs (Master Service Agreements). If the agency is using an ATS or payroll system that processes client candidate data without a signed DPA with that vendor, the agency is in breach of both GDPR and its client contract simultaneously. Client audits - which are increasing in frequency - will surface this gap.

ATS and HR software vendors operating in the EU market must have template DPAs ready for customer signature. Vendors that do not offer DPAs cannot be used by GDPR-compliant customers. This is a commercial requirement, not just a legal one.

DPAs in Action

A UK-based recruitment agency is [onboarding](/glossary/onboarding) a FTSE 250 client who requires a signed DPA before sharing candidate data. The agency uses an ATS, a video interviewing platform, and a background check provider - all of which touch candidate personal data. The agency reviews each vendor's DPA, confirms the sub-processor lists are maintained and up to date, checks that international transfer mechanisms are in place for the US-based background check provider's processing, and signs the client DPA representing that all downstream processing is covered. The process takes two weeks and surfaces one vendor (the video platform) that does not yet have SCCs in place - that vendor is replaced before the client relationship begins.

Compliance Checklist