GDPR DPA clause · critical
Processing on Documented Instructions
The clause binding the processor to act only on the documented instructions of the controller — not for its own purposes.
What the clause requires
The processor must process personal data only on the controller's documented instructions.
Why a GDPR DPA needs it
This is a core Article 28(3)(a) requirement. Without it, a processor is contractually free to repurpose personal data, which undermines the controller’s lawful basis and is a common audit finding.
Risk if it is missing
The processor could use personal data for its own purposes, breaching the lawful basis for processing.
Free · nothing leaves your browser
Check your DPA against all 10 clauses
Answer 10 quick questions — checked in your browser, no upload. To review the actual wording, the desktop app reads your DPA on your machine and never sends it anywhere.
Run the free DPA checkThis page explains a common Data Processing Agreement clause for general information. It is not legal advice. Have a qualified professional review anything that matters.