GDPR Article 28: When Your HR Vendor Needs a DPA (and What Must Be In It)

Under the GDPR (Regulation 2016/679), the employer is the data controller for employee personal data, and any third-party vendor processing that data on the employer's behalf is a data processor. Article 28 of the Regulation requires a written contract — a Data Processing Agreement (DPA) — governing every controller-processor relationship.

When you need one

A DPA is required for every vendor that processes employee personal data on your instructions. The common examples in HR:

• Payroll provider (gross-to-net calculations, bank transfers)
• Benefits administration platform
• Applicant tracking system
• Background check provider
• Performance management tool
• Time and attendance system
• Survey or engagement platform
• Any AI-powered tool processing CVs, interview transcripts, or performance signals

If a vendor's product is fundamentally a service to you (cloud hosting, an HR SaaS, a payroll bureau), they are a processor and you need a DPA before any employee data leaves your systems for theirs.

What Article 28 requires the DPA to contain

The Article 28 checklist requires the contract to specify:

1. The subject matter and duration of processing
2. The nature and purpose of processing
3. The type of personal data and categories of data subjects
4. The controller's obligations and rights
5. Processor obligations: act only on documented instructions, ensure confidentiality, implement appropriate security, engage sub-processors only with authorisation, assist the controller with data subject rights and breach notifications, delete or return data at the end of the relationship, allow audits

The EDPB guidelines on the controller-processor concept are the authoritative reference for borderline cases — particularly where the vendor is doing some processing for its own purposes (analytics, product improvement) on top of the contracted service.

What to look for before signing

Six practical things to check in any vendor's DPA before it goes to legal review:

1. Sub-processor list. Is it published? Does the vendor commit to notifying you of changes with a reasonable objection period?
2. Data location. Where is the data stored? If outside the EEA, what transfer mechanism (SCCs, adequacy decision) applies?
3. Audit rights. What audit mechanism is available — a SOC 2 / ISO 27001 report, or a right to inspect?
4. Breach notification window. The Regulation requires the processor to notify the controller "without undue delay"; many DPAs commit to 24-48 hours.
5. End-of-contract data handling. Return or deletion? On what timeline?
6. Indemnification posture. Does the processor accept liability for its own breaches?

HourSquare publishes our DPA openly at hoursquare.com/dpa so HR buyers can review it before any procurement conversation starts. The companion GDPR for HR glossary entry covers controller-processor distinctions in more depth.