Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NLยทEN
Explainer

Data processing agreement (GDPR art. 28): needed with an AI vendor?

Adopted 2026-06-28 ยท ≈ 1 min read ยท Dirk Baaijen

If an AI vendor processes personal data on your behalf, Article 28 GDPR requires a written data processing agreement with fixed minimum content. This explainer sets out what it must contain and what to watch for with AI services.

Short answer: If you have an AI vendor process personal data on your behalf โ€” for example a SaaS tool or API that processes your customer or staff data โ€” you are the controller and the vendor the processor. Article 28 GDPR then requires a written data processing agreement (DPA) with fixed minimum content. Without it, the processing is not lawfully arranged.

What it must contain as a minimum

Article 28 requires the agreement to set out, among other things: the subject matter, duration, nature and purpose of the processing, the type of personal data and the categories of data subjects, and the controller's rights and obligations. The processor commits to, among other things: processing only on documented instructions, ensuring confidentiality, applying appropriate security (art. 32), engaging sub-processors only with authorisation, assisting the controller with data-subject requests and breaches, and deleting or returning the data afterwards, with the possibility of audits.

What to watch for with AI services

Three points are crucial with AI vendors. Sub-processors: AI providers often rely on cloud and model parties โ€” have that chain documented. Reuse for training: explicitly arrange that your personal data is not used to train models, unless you knowingly allow it. Location and transfer: record where processing takes place and which safeguards apply for transfers outside the EEA.

Relationship to the AI Act

The DPA covers the privacy side (GDPR). If you also use the AI system in a context covered by the AI Act, separate obligations apply on top (your role as provider/deployer). Handle both tracks side by side.

Lees ook: GDPR and employee data with AI.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2016/679/oj
    Regulation (EU) 2016/679 (GDPR), Article 28 โ€” processor and mandatory content of the data processing agreement.
  2. https://commission.europa.eu/law/law-topic/data-protection_en
    European Commission โ€” data protection: roles of controller and processor.

Share on LinkedIn

Read next

W

AI vendor questionnaire: what to ask an AI tool supplier

A ready-to-use questionnaire to vet an AI tool supplier before purchase on role (provider/deployer), data and training, security, sub-processors, AI Act status and exit. Adopt the questions into your procurement or vendor assessment.

W

The AI Act for DPOs: where it meets the GDPR

The AI Act and the GDPR overlap but are not the same. The DPO is not automatically responsible for AI compliance, yet plays a key role wherever AI processes personal data. This guide maps the touchpoints: DPIAs, legal grounds, transparency and the limits of the DPO role.

U

AI in hospitality and tourism: dynamic pricing, profiling and the GDPR

Hospitality and tourism use AI for dynamic pricing, recommendations and guest profiling. The AI Act rarely treats this as high-risk, but the GDPR is decisive: profiling, automated decisions and transparency call for clear legal bases.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.