What are the key components of a Data Processing Agreement (DPA) that SaaS companies must include to comply with GDPR in 2025-2026?

Question

Jennifer Martinez · Accepted Answer

The short answer
To comply with GDPR in 2025-2026, SaaS companies must include specific mandatory clauses in their Data Processing Agreements (DPAs). These clauses should clearly define the scope of processing, security measures, subprocessors, and how data subject rights are handled. Additionally, DPAs must specify data retention periods, procedures for data deletion or return after contract termination, and outline the company's obligation to assist controllers with data subject access requests within 30 days.
Why this question comes up
This question arises as SaaS companies prepare for evolving data protection regulations, particularly GDPR, which imposes strict requirements on data processing activities. Ensuring a compliant DPA is essential for legal adherence and to mitigate risks such as fines or reputational damage. As the regulatory landscape advances, companies seek clarity on the necessary contractual provisions to meet compliance deadlines.
What the data shows
GDPR Article 28 mandates that data controllers and processors establish a written DPA containing specific clauses. These clauses must detail the scope of processing activities, including the nature, purpose, and duration of processing, to ensure transparency and accountability. The agreement must also specify the security measures implemented to protect personal data, aligning with GDPR’s emphasis on data security.
Furthermore, DPAs are required to list any subprocessors engaged by the SaaS company and establish procedures for informing controllers of any changes to these subprocessors. This transparency is critical for maintaining control over data processing activities. The agreement must also address data subject rights, including how the processor will assist the controller in fulfilling requests related to access, rectification, erasure, and other rights within a 30-day timeframe.
Additionally, the DPA must specify data retention periods and outline procedures for the secure deletion or return of personal data upon contract termination. This ensures that data is not retained longer than necessary and that data subjects’ rights are protected after the contractual relationship ends. Failure to adhere to these requirements can lead to significant fines and damage to reputation, emphasizing the importance of comprehensive and compliant DPAs.
When this answer changes
The outlined requirements are specific to GDPR and apply broadly to any SaaS company processing personal data of EU residents. However, the exact obligations may vary depending on the jurisdiction and applicable data protection laws. For example, regions with their own data privacy regulations may have different or additional requirements, which could alter the scope or content of necessary DPAs.
Common mistakes
A common misconception is that a DPA is only necessary if the SaaS company is based within the EU. In reality, any SaaS provider processing personal data of EU residents must comply with GDPR, regardless of its physical location. Overlooking this can lead to non-compliance and associated penalties, even if the company operates outside Europe.
Practical next step
This week, SaaS companies should review their existing DPAs to ensure they include all mandatory clauses specified by GDPR, particularly those related to processing scope, security measures, subprocessors, and data subject rights. If gaps are identified, companies should initiate updates or draft new agreements to align with GDPR requirements before the compliance deadline.