Data Processing Agreement (Auftragsverarbeitungsvertrag, AVV)

A Data Processing Agreement (DPA) — in German Auftragsverarbeitungsvertrag (AVV) — is the contractual framework required under GDPR Article 28 between a data controller (typically the customer) and a data processor (typically a cloud-service vendor or specialist subprocessor). For ERP-bearing DACH organisations using cloud ERP, every cloud SaaS service that processes personal data on the customer's behalf requires an executed DPA. Reviewing and managing DPAs is a substantial ongoing compliance discipline.

Required content (Article 28)

GDPR Article 28 specifies mandatory DPA content. (1) Subject matter and duration of processing. (2) Nature and purpose of processing. (3) Categories of personal data and categories of data subjects. (4) Obligations and rights of the controller. (5) Processor obligations: process only on documented instructions, ensure persons with access are bound by confidentiality, implement appropriate security measures, engage sub-processors only with written authorisation, support the controller's compliance obligations (data-subject requests, breach notification), delete or return data at end of contract, make available information demonstrating compliance, allow audits. (6) Sub-processor management: controller authorisation requirements and the flow-down of obligations.

Cloud-vendor DPA practices

Major cloud ERP vendors publish standard DPAs. SAP: SAP Cloud Service Agreement plus Data Processing Agreement, with country-specific addenda. Microsoft: Microsoft Products and Services Data Protection Addendum (DPA), updated periodically. Oracle: Oracle Data Processing Agreement for cloud services. NetSuite: NetSuite Service Agreement with embedded DPA. Salesforce: Salesforce Data Processing Addendum. Each major vendor maintains a public sub-processor list with notification mechanisms for changes. Negotiating material DPA changes is generally limited to enterprise-tier customers; mid-market accepts the standard DPA with selected addenda for specific requirements (industry compliance, regulatory geography).

Reviewing a DPA for ERP selection

When evaluating cloud ERP, the DPA review should cover several specific areas. (1) Scope of processing: aligned with the actual ERP use case? (2) Security measures: technical and organisational measures (TOMs) described adequately? ISO 27001, SOC 2 attestations referenced? (3) Sub-processor list: who else processes the data downstream? Reasonable geographic scope? (4) Data transfers: any transfers outside the EU, and on what legal basis? EU-US Data Privacy Framework? Standard Contractual Clauses? (5) Audit rights: how does the customer verify compliance? Acceptance of vendor-side audit reports versus customer-led audits? (6) Breach notification: timing (typically 24-72 hours) and information content. (7) Data deletion: at end of contract, with reasonable timeline. (8) Liability: cap and exclusions. The Data Protection Officer should be involved in DPA review for any cloud-ERP selection.

Practical considerations

Three patterns. (1) Maintain a DPA register: organisations with 30+ cloud SaaS services need a register tracking which DPAs are in force, sub-processor lists subscribed for change-notification, audit reports received. Without a register, DPA compliance drifts. (2) Monitor sub-processor changes: cloud vendors add and change sub-processors periodically; customers receive notification with typical 14-30 day objection windows. Ignoring these notifications creates compliance gaps. (3) Integrate DPA review with vendor selection: DPA quality is part of vendor evaluation, not a post-selection contracting step. Vendors with weak DPAs may not pass scrutiny regardless of functional fit. Mid-market in DACH benefits from involving the DPO and external privacy counsel for cloud-ERP selection.

Related Topics

• GDPR in ERP
• SaaS ERP
• SOC 2