All DPA clauses

GDPR DPA clause · critical

Processing on Documented Instructions

The clause binding the processor to act only on the documented instructions of the controller — not for its own purposes.

What the clause requires

The processor must process personal data only on the controller's documented instructions.

Why a GDPR DPA needs it

This is a core Article 28(3)(a) requirement. Without it, a processor is contractually free to repurpose personal data, which undermines the controller’s lawful basis and is a common audit finding.

Risk if it is missing

The processor could use personal data for its own purposes, breaching the lawful basis for processing.

Free · nothing leaves your browser

Check your DPA against all 10 clauses

Answer 10 quick questions — checked in your browser, no upload. To review the actual wording, the desktop app reads your DPA on your machine and never sends it anywhere.

Run the free DPA check

This page explains a common Data Processing Agreement clause for general information. It is not legal advice. Have a qualified professional review anything that matters.