Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Data Privacy

Vendor Data Processing Agreements: The GDPR, CCPA, and State Privacy Provisions Most Financial Services Contracts Are Missing

A data processing agreement isn't a checkbox — it's a legally required document with 8 mandatory provisions under GDPR Article 28 and overlapping requirements under CCPA, CPRA, and 20+ US state privacy laws. Here's what the clauses actually need to say, the sub-processor gap most contracts ignore, and the language DPAs routinely miss.

By Rebecca Leung · June 26, 2026 ·
Table of Contents

TL;DR

  • GDPR Article 28 requires a written data processing agreement with 8 mandatory provisions — missing any one of them makes the agreement non-compliant, regardless of what else it says
  • CCPA/CPRA and 20+ US state privacy laws require similar written contracts with service providers that process customer personal data
  • Sub-processor authorization, breach notification timelines, deletion certification, and audit rights are the four provisions most often absent or unenforceable in financial services vendor contracts
  • EU-US data transfers require either EU-US Data Privacy Framework certification or Standard Contractual Clauses — a well-drafted DPA without a transfer mechanism doesn’t fix an unlawful transfer

You have a contract with your cloud storage vendor. Your identity verification provider. Your analytics platform. Your customer communication tool. Each of them processes personal data about your customers, probably in multiple countries. And your legal team ran the contract before signing.

But here’s the question worth asking: when’s the last time you read what the data processing provisions actually say — not whether they exist, but whether they say what they need to say to protect you under GDPR, CCPA, and the 20-state US privacy patchwork?

Most financial services vendor contracts contain a DPA or data processing addendum. Most of them are missing at least three provisions that regulators and enforcement authorities treat as mandatory. With GDPR fines exceeding €1.1 billion in 2025 and US state privacy enforcement accelerating, a DPA that looks like a DPA but doesn’t work like one is not protection — it’s exposure with extra paperwork.

The framing matters. A Data Processing Agreement isn’t a courtesy document you exchange with vendors to signal good privacy intent. It’s a legally mandated contract whose specific provisions are either present or missing — and missing provisions create both regulatory exposure and liability gaps.

Under GDPR Article 28, every controller-processor relationship requires a written contract. If your vendor processes personal data on your behalf — and most vendors that touch your systems do — the contract must exist and must contain each of the Article 28(3) provisions. Supervisory authorities can audit your DPA directly, and a non-compliant or missing DPA is itself a GDPR violation, separate from any substantive data protection failure.

Under CCPA/CPRA, written contracts with service providers are required to include specific restrictions on how personal information can be used. The California Privacy Protection Agency has audit authority over these contracts, and CPRA’s amendments added sub-processing requirements that many pre-2023 service provider agreements still don’t reflect.

Under US state privacy laws — Virginia CDPA (effective January 2023), Colorado CPA (effective July 2023), Connecticut CTDPA (effective July 2023), Texas TDPSA (effective July 2024), and now more than 20 states with comprehensive privacy legislation — processor contracts must contain specific provisions. The requirements vary by state, but the core elements are consistent: limit processing to specified purposes, maintain confidentiality, assist with data subject rights, allow audits, and require sub-processor flow-down.

For financial services firms already operating under GLBA, there’s an important distinction: GLBA Reg P governs customer privacy notices and opt-outs, but it doesn’t substitute for DPA requirements under state and international law. A GLBA-compliant firm still needs compliant DPAs with its technology vendors.

The Eight Mandatory Provisions Under GDPR Article 28(3)

Article 28(3) specifies exactly what a DPA must contain. Each provision is mandatory, not aspirational:

1. Instruction-based processing only. The processor may process personal data only on documented instructions from the controller — including with respect to transfers to third countries. This limits your vendor to the uses you authorize. If your contract says the vendor can use data for “service improvement” without your explicit instruction, this provision isn’t satisfied.

2. Confidentiality obligation. All persons authorized to process personal data must be subject to a confidentiality obligation — either by contract or by statutory duty.

3. Article 32 security measures. The processor must implement appropriate technical and organizational security measures. Article 32 requires these to be appropriate to the risk. In a DPA, this translates to specifying — or referencing — the actual controls: encryption standards, access controls, testing procedures.

4. Sub-processor authorization and flow-down. The processor cannot engage sub-processors without prior controller authorization (specific or general). When sub-processors are engaged, the same obligations from the DPA must flow down to them, and the original processor remains fully liable.

5. Data subject rights assistance. The processor must assist the controller in responding to data subject requests — access, rectification, erasure, portability, restriction, and objection. This has practical implications: if your vendor holds data you need to produce in response to a DSAR, your contract needs to require them to provide it within a timeframe that lets you meet your response deadline.

6. Compliance assistance. The processor must assist the controller with security obligations (Art 32), breach notification (Arts 33-34), Data Protection Impact Assessments (Art 35), and prior consultation (Art 36). For privacy impact assessments involving high-risk processing, the vendor’s cooperation isn’t optional — it’s contractually required.

7. Data return or deletion. At the end of the services, the processor must delete or return all personal data. The controller chooses which. If your contract just says the vendor “will handle data in accordance with applicable law” after termination, without specifying return or deletion, this provision isn’t met.

8. Audit rights and compliance cooperation. The processor must make available all information necessary to demonstrate compliance and allow for audits and inspections conducted by the controller or a mandated auditor. The processor must also immediately inform the controller if, in its opinion, an instruction infringes GDPR.

Any DPA missing one of these provisions is non-compliant under GDPR. A generic privacy addendum that uses vague language across these categories may not satisfy the requirement even if it purports to be an Article 28 DPA.

What CCPA/CPRA Adds to Service Provider Contracts

The CCPA/CPRA framework uses different terminology (service provider rather than processor), but the contract requirements are structurally similar to Article 28 and are now mandatory for California operations.

Required prohibitions: Your service provider contract must prohibit the vendor from: selling or sharing personal information; retaining, using, or disclosing personal information for any purpose other than the specified services; retaining, using, or disclosing personal information outside the service relationship; and combining personal information received from you with information received from other sources (except in limited circumstances).

CPRA additions: CPRA extended the service provider regime to require that vendors delete personal information at the business’s request, assist with data subject rights requests, and apply the same obligations to their own sub-processors. Contracts executed before January 1, 2023 (CPRA’s effective date) may not contain these provisions.

Audit rights: CPRA gives businesses the right to audit service provider compliance and requires service providers to cooperate. This needs to be in the contract, not just implied by the statute.

US State Privacy Laws: The Patchwork Is Now 20+ States Deep

The core processor contract requirements across US state laws are consistent enough to support a single compliant framework, but the specific variations matter:

StateEffective DateKey Contract RequirementsNotable Additions
Virginia CDPAJan 1, 2023Purpose limitation, confidentiality, security, audit rights, sub-processor flow-downReturn/deletion choice at termination
Colorado CPAJuly 1, 2023Same as Virginia plus deletion assistanceData minimization obligation
Connecticut CTDPAJuly 1, 2023Similar to Virginia/ColoradoExplicit prohibition on selling data
Texas TDPSAJuly 1, 2024Purpose limitation, sub-processor obligationsGLBA-covered entities partially exempt but processor contracts still required for non-GLBA data
Montana MCDPAOct 1, 2024Similar to Virginia baseline

The common required provisions across most state laws: process only as directed, maintain confidentiality, implement adequate security, delete or return data at contract end, allow the controller to audit, require sub-processors to meet the same standards, and assist with consumer rights requests.

For financial services firms processing customer data across multiple states, the practical approach is to draft DPAs against the strictest applicable requirements and ensure the result satisfies GDPR Article 28 — because a GDPR-compliant DPA will generally satisfy US state law requirements as well.

The Sub-Processor Problem

Sub-processor provisions are the most frequently incomplete section of DPAs in practice — and they’re where vendor data processing accountability most often breaks down.

Authorization mechanics matter. Most enterprise DPAs use “general authorization” — a blanket approval for sub-processing. This is legally permissible under GDPR Article 28(2), but only if the processor: (a) maintains a list of sub-processors, (b) notifies you of intended changes before they occur, and (c) gives you a meaningful opportunity to object. A DPA that posts a sub-processor list on a website but doesn’t require advance notification of changes and doesn’t give you an objection right is not meeting the general authorization standard.

Flow-down is fully your liability. When your vendor uses a sub-processor, the sub-processor must be subject to the same data protection obligations as your vendor. But if your vendor’s sub-processor agreement doesn’t contain all eight Article 28(3) provisions, and the sub-processor has a data breach, your vendor is fully liable to you — and you may not have an enforceable claim against the actual sub-processor. Contract review should include asking your critical vendors for their standard sub-processor agreements.

The liability chain matters for financial services. For firms subject to GLBA’s Safeguards Rule, the obligation to oversee service providers extends to sub-processors. If your cloud provider uses a sub-cloud provider that handles customer financial data, that relationship is within scope of your oversight obligations even if you don’t have a direct contract with the sub-processor.

International Data Transfers

If your vendor processes data outside the country where it was collected, a transfer mechanism is required. For EU personal data transferred to the US:

EU-US Data Privacy Framework (DPF). The European Commission adopted the DPF as an adequacy decision in July 2023. US organizations that certify to the DPF can receive EU personal data without SCCs. Verify your vendors’ DPF certification status at dataprivacyframework.gov — and note that certification must be renewed annually.

Standard Contractual Clauses (SCCs). The EU Commission’s June 2021 SCCs are the primary alternative. They must be incorporated by reference into the DPA (or as an annex) and executed correctly — the correct module must be selected based on the relationship type (controller-to-processor, controller-to-controller, etc.). SCCs without the correct module selection don’t satisfy the transfer requirement.

The DPF faces ongoing legal challenges, and a successful Schrems III challenge could require a fallback to SCCs. For critical transfers, having SCCs available as a backup — even while relying on DPF certification — is prudent risk management.

The Clauses Most DPAs Are Missing

Six provisions routinely appear incomplete or absent in financial services vendor contracts:

Breach notification SLAs. GDPR requires a controller to notify supervisory authorities within 72 hours of discovering a personal data breach. Your DPA needs to require the processor to notify you with enough lead time to meet that clock — typically a 24-hour or 48-hour notification obligation to you, from the processor’s discovery of the breach. Generic “without undue delay” language is not a sufficient SLA. After a vendor breach, the question of when the vendor knew and when they told you becomes legally material.

Deletion certification. Your contract says the vendor will delete data at the end of the engagement. The missing piece: written certification confirming deletion occurred, from what systems, and when. Without this, you have no evidence of compliance with your data minimization obligations.

AI/automated processing restrictions. If your vendor uses your customer data to train AI models, improve their own products, or run automated decision-making, that processing needs to be explicitly authorized or prohibited. Most DPAs executed before 2023 are silent on AI model training. This is now a material gap, particularly for financial services firms whose vendors process sensitive customer data.

Meaningful audit rights. Article 28 requires audit rights. But many DPAs define them in ways that make them functionally unexercisable: “audits may occur at mutually agreed times” with no obligation on the vendor to cooperate, no timeframe for scheduling, and no right to use an independent auditor if the vendor refuses. Negotiate audit rights that are exercisable unilaterally, with reasonable notice, and with the option to substitute a third-party auditor.

Specific security requirements. “Industry-standard security measures” is not a security requirement. Your DPA should specify: encryption in transit and at rest, access control procedures, penetration testing frequency, and patch management timelines. The level of specificity should be proportionate to the sensitivity of the data the vendor handles.

Return vs. deletion clarity. Article 28(3)(g) requires the processor to delete or return all personal data — at the controller’s choice. Most DPAs are silent on which option applies or say “delete or return as directed.” Without a clear selection in the contract, termination creates ambiguity about whether your data was returned, deleted, or retained by a vendor for some internal purpose.

So What? The DPA Audit Checklist

Run this inventory against your three highest-risk vendor relationships:

  1. Does the DPA contain all eight Article 28(3) provisions, or does it use generic language that doesn’t satisfy any of them specifically?
  2. Does the sub-processor provision require advance notice and an opportunity to object before sub-processor changes?
  3. Does breach notification language specify a concrete SLA (24 or 48 hours) rather than “without undue delay”?
  4. Is there a deletion certification obligation at contract termination?
  5. Does the DPA address AI/model training and automated processing restrictions?
  6. Are audit rights exercisable in practice, with an independent auditor option?
  7. For EU personal data: is there a DPF certification on file or SCCs incorporated in the contract?
  8. Has this contract been reviewed since CPRA (January 2023) and Texas TDPSA (July 2024) took effect?

If you’re finding gaps in multiple areas, the issue is probably that your template DPA was drafted to a pre-2023 standard and hasn’t been updated for the current regulatory landscape. The 2024-2026 state law wave significantly expanded what processor contracts must contain — and most template DPAs haven’t kept up.


The Data Privacy Compliance Kit includes a GDPR/CCPA-aligned vendor contract provisions checklist, a 19-state privacy law applicability matrix, DSAR workflow templates, and data breach notification procedures — built for teams managing privacy compliance without a dedicated privacy officer.


Sources:

◆ Need the working template?

Start with the source guide.

These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

What is a Data Processing Agreement (DPA) and when is one required?
A Data Processing Agreement is a binding contract between a data controller (the company that determines how and why personal data is processed) and a data processor (the vendor or service provider that processes data on the controller's behalf). GDPR Article 28 makes it mandatory: if a processor handles personal data on your instructions, you must have a written DPA in place. CCPA/CPRA requires similar written contracts with service providers. Under US state privacy laws — including Virginia CDPA, Colorado CPA, Connecticut CTDPA, and Texas TDPSA — processor contracts with specific required provisions are a compliance obligation. If you're a financial services firm using cloud providers, analytics vendors, identity verification tools, or communication platforms that touch customer personal data, DPAs are required, not optional.
What are the eight mandatory provisions under GDPR Article 28?
GDPR Article 28(3) requires that the contract between controller and processor specify that the processor: (1) processes personal data only on documented instructions from the controller; (2) ensures authorized persons are bound to confidentiality; (3) implements the security measures required by Article 32; (4) complies with the sub-processor authorization and flow-down requirements (Article 28(2) and (4)); (5) assists the controller with data subject rights requests; (6) assists with breach notification (Art 33), DPIAs (Art 35), and prior consultation (Art 36); (7) deletes or returns all personal data at the end of the services; and (8) makes available all information necessary to demonstrate compliance and allows for audits. Each of these is mandatory — a DPA that omits any of them is non-compliant regardless of whatever else it says.
Does CCPA/CPRA require a formal Data Processing Agreement with service providers?
CCPA/CPRA requires a written contract with service providers that includes: a prohibition on using personal information for any purpose other than the specified services; a prohibition on selling or sharing personal information; a prohibition on retaining, using, or disclosing personal information outside the service relationship; a prohibition on combining personal information from different sources in unauthorized ways; and a requirement that service providers treat personal information with the same protection as the business would. CPRA added requirements for service provider sub-processing obligations. If you're doing business in California and using vendors that process California consumer personal information, these contract terms are required — and California's enforcement authority, the CPPA, can audit your vendor contracts.
What's the difference between 'specific' and 'general' sub-processor authorization under GDPR?
Under GDPR Article 28(2), a processor needs the controller's prior authorization to engage sub-processors. That authorization can be 'specific' (naming each sub-processor and requiring approval before any change) or 'general' (a blanket pre-authorization for sub-processing, with an obligation to inform the controller of additions or replacements and give the controller an opportunity to object). Most enterprise DPAs use general authorization in practice. The key requirement with general authorization: the processor must notify you of sub-processor changes before they happen and give you a meaningful opportunity to object. A DPA that allows sub-processors without any notification mechanism is missing this provision.
How do I handle EU-US data transfers if I'm a US financial services firm processing EU customer data?
US firms that process EU customer personal data need a legal transfer mechanism in place. The two main options: (1) certify to the EU-US Data Privacy Framework (adopted July 2023), which provides an adequacy finding that allows transfers without SCCs; or (2) execute the EU Commission's Standard Contractual Clauses (updated June 2021) with your EU data exporters. The EU-US DPF faces ongoing legal challenges, so having SCCs as a backup is prudent. For intra-group transfers involving EU subsidiaries, the DPA between the EU entity and the US parent should incorporate the appropriate transfer mechanism — typically SCCs. If neither mechanism is in place and you're processing EU personal data, your transfer is unlawful regardless of what the DPA says about other obligations.
What are the most common DPA drafting mistakes in financial services contracts?
Six gaps appear most often: (1) the sub-processor list isn't maintained or doesn't require approval before changes — most vendors put a URL to a current list, but contracts don't require pre-notification; (2) the breach notification timeline is vague ('promptly' or 'without undue delay') rather than specific — GDPR's 72-hour clock from the processor to the controller needs a concrete SLA in the contract; (3) deletion certification is absent — there's no obligation for the processor to confirm in writing that data was deleted after services end; (4) audit rights are present on paper but impossible to exercise in practice (e.g., 'audits may occur at mutually agreed times' with no vendor obligation to cooperate); (5) AI/automated processing restrictions are absent — contracts don't address whether the vendor can use your customer data to train AI models; (6) the security requirements reference generic 'industry-standard security' rather than specific controls like encryption standards, access review frequency, or penetration testing schedules.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

Data Privacy Compliance Kit

Multi-state privacy compliance templates covering 19 state laws plus GLBA and CCPA.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.