Compliance Blog

What Is the Difference Between a DPA and Standard Contractual Clauses?

A Data Processing Agreement (DPA) and Standard Contractual Clauses (SCCs) are both GDPR compliance documents involving vendor contracts, which is why they are frequently confused. They serve entirely different legal purposes. A DPA governs the relationship between a controller and a processor. SCCs are a mechanism for transferring personal data outside the European Economic Area. When you engage a US cloud provider, you typically need both — and confusing one for the other creates a compliance gap.

What is a Data Processing Agreement (DPA)?

A Data Processing Agreement is required by GDPR Article 28(3) whenever a controller engages a processor to process personal data on its behalf. It is a contract that governs the terms of that processing relationship. Geography is irrelevant to whether you need a DPA. If you engage a processor based in Germany, in the US, or in Singapore, you need a DPA with each of them.

Article 28(3) sets out the minimum terms a DPA must contain:

• The processor processes personal data only on documented instructions from the controller
• The processor ensures that persons authorised to process the data have committed to confidentiality
• The processor implements appropriate technical and organisational measures (Article 32)
• The processor does not engage sub-processors without the controller's prior authorisation
• The processor assists the controller in responding to data subject rights requests
• The processor assists with security obligations, breach notification, DPIAs, and prior consultations
• The processor deletes or returns all personal data at the controller's choice at the end of the contract
• The processor makes all information necessary to demonstrate compliance available to the controller
• The processor allows for and contributes to audits and inspections

If a vendor's DPA does not include all of these elements, it does not satisfy Article 28(3) and is not a valid GDPR DPA regardless of what the document is called.

What are Standard Contractual Clauses (SCCs)?

Standard Contractual Clauses are a transfer mechanism under GDPR Article 46(2)(c). They are contractual clauses adopted by the European Commission that are deemed to provide "appropriate safeguards" for personal data transferred to a third country outside the EEA that does not have an adequacy decision.

The current SCCs were adopted in June 2021 (Commission Implementing Decision 2021/914). They have a modular structure covering four transfer scenarios:

• Module 1: Controller to controller (your business sending personal data to a third-country company that uses it for its own purposes)
• Module 2: Controller to processor (most common scenario: your business engaging a third-country cloud provider, analytics tool, or SaaS product)
• Module 3: Processor to sub-processor (your processor onboarding a third-country sub-processor)
• Module 4: Processor to controller (a processor sending data back to a controller in a third country)

SCCs serve only one purpose: providing a legal basis for the cross-border transfer of personal data. They do not govern the processing relationship in the way a DPA does. The 2021 SCCs incorporate some DPA-like provisions in Module 2 (controller to processor), but they are not a substitute for a stand-alone DPA and do not include all Article 28(3) requirements in an easily usable form for the full processing relationship.

When do you need one, the other, or both?

The answer depends on where the processor is located and whether the recipient country has an adequacy decision:

Processor in the EEA or an adequate country: DPA required. No SCCs or other transfer mechanism needed because the transfer does not leave the adequate area. Countries with adequacy decisions include Switzerland, Japan, Canada (commercial organisations), Israel, New Zealand, and (for US DPF-certified companies) the United States.

Processor in the US (certified under the EU-US DPF): DPA required. The DPF adequacy decision covers transfers to DPF-certified companies. Verify the vendor's DPF certification at the official DPF participant list. No SCCs needed if DPF certification is current and covers the transfer.

Processor in a non-adequate third country (e.g. US without DPF certification, India, most of Asia-Pacific): DPA required AND SCCs (or another Article 46 mechanism) required. The DPA governs the processing relationship. The SCCs provide the transfer mechanism.

How large vendors combine them

Most large US SaaS vendors (AWS, Google, Microsoft, Salesforce, HubSpot, Atlassian, and others) publish a combined document that functions as both a DPA and incorporates SCCs. The document is typically called a "Data Processing Agreement" or "Data Processing Addendum" and includes the Article 28(3) provisions alongside an SCC Module 2 attachment for the transfer scenario.

When you sign a vendor's DPA, check: (1) whether it includes all the Article 28(3) elements listed above, (2) whether it incorporates the 2021 SCCs (not the old 2001 or 2010 versions, which are no longer valid), and (3) whether the transfer mechanism used matches your situation (DPF for DPF-certified US vendors, SCCs for non-certified or non-US vendors).

A vendor that presents a DPA without any transfer mechanism, or that uses SCCs as though they eliminate the need for an Article 28 DPA, has a compliance gap. Both documents serve different legal functions and both are required in the scenarios described above.

Common mistakes

Using the 2001 or 2010 SCCs. The old SCCs were invalidated by the Schrems II judgment and replaced by the 2021 SCCs. If your vendor contracts still reference Decision 2001/497/EC or Decision 2010/87/EU as the SCC basis, they should be updated. New contracts entered into after December 2022 must use the 2021 SCCs.

Treating SCCs as a substitute for a DPA. A vendor that sends you SCCs without a separate DPA (or without DPA-compliant terms incorporated in the SCCs) does not satisfy Article 28(3). SCCs Module 2 includes some processor obligations, but they are not a complete DPA and the vendor may have intended them only as a transfer mechanism.

Not verifying DPF certification. A vendor claiming DPF certification should be verified against the official participant list. DPF certification must be renewed annually. A vendor that certified in 2023 and has not renewed may no longer be certified for the specific data categories relevant to your transfer.

For the full GDPR compliance framework including data transfer requirements, see the GDPR compliance checklist. For the current state of GDPR enforcement including data transfer-related fines, see GDPR enforcement in Q1 2026.

FAQ

Does every vendor that touches our data need a DPA?

Yes, if the vendor processes personal data on your behalf as a processor under Article 28 GDPR. This includes cloud hosting, analytics tools, email marketing, CRM, and any service that stores or processes data you have collected. The DPA must contain the minimum terms required by Article 28(3).

Can SCCs substitute for a DPA?

No. SCCs are a transfer mechanism for sending data to a third country. A DPA governs the processor relationship regardless of geography. They serve different legal purposes. When both are needed, you need both documents (or a combined document that satisfies both sets of requirements).

What are the 2021 SCCs and do I need to update my contracts?

The European Commission published new SCCs in June 2021, replacing the previous sets from 2001 and 2010. Contracts still using the old SCCs should have been updated by December 2022. If you have legacy contracts referencing the old SCC Decisions, they are not valid for new transfers and should be updated.

What is a transfer impact assessment (TIA)?

A TIA analyses whether a third country's law provides adequate protection for transferred data when relying on SCCs. For transfers to US vendors certified under the EU-US DPF, a TIA is generally not required. For transfers to other non-adequate countries, a TIA is required alongside the SCCs.