What must a data processing agreement contain?

GDPR Article 28(3) lists the required elements: the subject matter and duration of the processing, the nature and purpose, the type of personal data, the categories of data subjects, and the obligations and rights of the controller. In practice a solid agreement also covers: confidentiality, sub-processors, security measures, breach notification obligations, and the controller's right to audit.

Data Processing Agreements and AI Tools: What Dutch SMEs Need to Know

GDPR obligations for businesses using AI in the Netherlands · Orellis

Yes, required. As soon as an AI tool processes personal data on behalf of your business, GDPR Article 28 requires a written data processing agreement with that provider. This applies to every language model, automation platform, or API that sees client or employee data.

Most businesses have not explicitly signed that agreement with every tool they use. That is not a disaster, but it is something to map now.

The data processing agreement is not the most complex GDPR obligation, but it is the one most often overlooked with AI tools. The reason: tools get adopted as productivity aids, not as data processing systems — even though that is exactly what they are the moment a name, a tax number, or a client file enters the prompt.

When a data processing agreement is required

The key question is whether the AI provider processes personal data on behalf of your business. If yes, the provider is a processor under GDPR and Article 28 applies.

This is almost always the case when you:

input a client file or client communication into an AI tool to generate a draft letter, summary, or analysis;
build an automation workflow that passes personal data to an external language model;
use an AI assistant with access to your email, CRM, or document storage.

It is not the case when you use only anonymized or synthetic data, or when the tool is used for tasks that involve no personal data.

What GDPR Article 28 requires

In writingThe agreement must be in writing — in practice the law also accepts electronic documents. A verbal agreement or a general privacy policy is not sufficient.

Subject matter and durationWhich processing, for what purpose, for how long. For AI tools: what data goes in, for what result, and when the processing ends.

Nature and purpose of the processingWhat the provider technically does with the data — generating text, analyzing documents — and the business purpose for which you use it.

Type of personal data and categories of data subjectsName, national ID number, email address, financial data of clients or employees — each type named explicitly. Special categories (health, ethnicity) require additional attention.

Processor obligationsConfidentiality, security measures, breach notification, no sub-processors without authorization, and the controller's right to audit.

The questions that matter

When is a data processing agreement required for AI tools?

As soon as an AI provider processes personal data on behalf of your business — and does not independently determine what happens to that data — it is a processor under GDPR. Article 28 then requires a written data processing agreement. This applies regardless of whether the provider is large or small, and whether the tool is a chatbot, a language model, or an automation platform.

Do major AI providers offer a data processing agreement by default?

Most large providers (Microsoft, Google, OpenAI via Azure) offer a Data Processing Agreement or equivalent document in their enterprise terms. Standard consumer or developer API terms typically do not include one, or are not intended for processing third-party personal data. You need to check the specific terms for each provider you use, and confirm which version applies to your use case.

What if an AI provider refuses to sign a data processing agreement?

Then you cannot lawfully use that provider for processing your clients' or employees' personal data, unless a different lawful basis applies. A provider that refuses to sign a data processing agreement while processing personal data is itself non-compliant with GDPR. That is a risk signal, not a bureaucratic detail.

Do we need a separate data processing agreement for each AI tool?

Yes, one per provider that processes personal data on your behalf. If you use multiple tools in a single workflow — for example an automation platform that calls a language model — each link in the chain may require a separate agreement. We map which provider sees which data at each step in the workflow, so you know which agreements you need.

What is the difference between a data processing agreement and an NDA?

An NDA governs confidentiality of information in general. A data processing agreement is a GDPR-specific contract governing the rights and obligations around the processing of personal data. They overlap in part but are not interchangeable. For AI tools that process personal data you need the data processing agreement; an NDA alone is not sufficient.

What does Orellis do with data processing agreements in practice?

We are set up to document, at each step in a workflow, which provider processes which data and under what terms. As part of the design, we map which data processing agreements apply or still need to be signed. We do not sign those agreements on your behalf — that is for you or your legal advisor — but we make it clear which agreements are needed and with which provider.

What this page cannot answer

This is an operational explanation of the data processing agreement as a GDPR requirement, not legal advice. Whether a specific use of a specific tool in your situation is GDPR-compliant depends on your data architecture, your legal basis, and the current terms of the provider at the time you read this. Your legal advisor or data protection officer is the right person to assess that for your specific situation.

We cite law, not case law

The requirements on this page are based on the text of GDPR Article 28. Supervisory authorities and courts may provide additional interpretations. For current enforcement guidance, refer to the Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl) and the EDPB guidelines.

This is operational framing, not legal advice. Whether your specific use of an AI tool is GDPR-compliant depends on your data architecture and your legal basis. We document the design choices; your advisor signs off on them.

How Orellis approaches this

We are set up to map every workflow step by step: what data goes in, which provider processes it, what comes out, and who reviews it. Identifying which data processing agreements you need is part of that design. It is not a legal service — it is making the choices visible so your advisor can assess and sign off on them.

We review everything before it goes live. This page was drafted with our own AI stack and reviewed by a human before publication. That review discipline is the product.

Want to know which data processing agreements you need?

Tell us which AI tools you use or are considering, and we will map which data passes through each step and which GDPR agreements that requires. No system access. No data. A response from a human.

Tell us how your workflow runs or book a free audit