Published: 28 May 2026 · Roy Morken, Datafolka

Data Processing Agreements under the Personal Data Act: a guide for Norwegian SMBs

Two people signing an agreement at a desk with documents and a laptop – illustration for data processing agreements
Photo: 2H Media / Unsplash

Every time you adopt a new cloud service that stores customer or employee data, GDPR Article 28 requires you to have a data processing agreement in place before the vendor begins processing your data. This applies to Microsoft 365, your accounting system, your CRM, your newsletter tool, and the AI assistant you just connected. The agreement is free to put in place, yet it remains one of the first documents Datatilsynet requests when opening a case, and it is missing more often than most SMBs realise.

Most Norwegian businesses have an unclear relationship with data processing agreements. They know GDPR exists, they have a privacy policy they have never read closely, and they assume the vendor "handles it automatically". Sometimes that is true – large vendors have the agreement ready in the admin console – but it often must be actively accepted, and for smaller vendors there is no automatic process at all. This guide covers what a data processing agreement actually is, what it must contain, when you need one, how to handle sub-processors and US services, and where to find a free template.

Everything in this article is based on GDPR Article 28, Datatilsynet's guidance on data processing agreements, and EDPB Guidelines 07/2020 on controllers and processors. No anonymised client cases, no "we have seen" anecdotes. Just legal text and public guidance translated into practical language for Norwegian SMBs.

What a data processing agreement is (and what it is not)

A data processing agreement is a legally binding contract between a controller and a processor that regulates how the processor may process personal data on behalf of the controller. The requirement is set out in GDPR Article 28(3), and the content is not optional: the regulation lists eight things the agreement must contain as a minimum.

To understand the agreement, you need to know three roles:

EDPB Guidelines 07/2020 spends considerable space on exactly this distinction, because it determines who bears which obligations. The basic rule is clear: if a vendor stores or processes personal data on your behalf but does not determine the purpose itself, they are a processor, and an agreement under Article 28 is required.

A data processing agreement is not the same as a privacy notice (which is directed at data subjects), not the same as an ordinary purchase or licence agreement (which governs price and delivery), and not a one-time document you can file away. It must be updated when the vendor changes sub-processors or when you change what data is being processed.

The eight mandatory clauses of Article 28(3)

GDPR Article 28(3) lists what the agreement must cover as a minimum. These are the core of any data processing agreement, and the checklist you use when evaluating a vendor's template.

Clause (art. 28(3)) What it means in practice
a) Documented instruction The processor may only process data pursuant to your documented instructions, not for its own purposes.
b) Confidentiality obligation Personnel at the vendor who access the data must be bound by a confidentiality obligation.
c) Security measures (art. 32) Appropriate technical and organisational measures: encryption, access controls, resilience.
d) Sub-processors Conditions for using sub-processors, requiring your approval and imposing the same obligations further down the chain.
e) Assistance with rights The vendor must help you respond to access requests, rectification, erasure, and data portability.
f) Assistance with breaches and DPIAs Help with security, breach notification, and data protection impact assessments (art. 32–36).
g) Deletion or return At contract end, data must be deleted or returned at your choice.
h) Audit right The vendor must provide information and allow audits to demonstrate compliance.

In practice, clauses d) and h) cause the most friction. Smaller vendors often have agreements covering a) through c) but are vague about sub-processors and reluctant to grant full audit rights. Large vendors cover all eight but replace physical audits with third-party certifications (ISO 27001, SOC 2) as evidence, which is accepted practice.

When reviewing a vendor's template, these are the eight clauses you are looking for. If one is missing, the agreement does not comply with Article 28, regardless of how professional it looks.

When you need a data processing agreement – and with whom

The rule of thumb: every vendor that processes personal data on your behalf needs a data processing agreement. In practice, that is more vendors than most SMBs realise. Here are the typical ones, and what type of agreement they have:

Service What they process Agreement
Microsoft 365 Email, documents, contacts, Teams Data Protection Addendum in the licence agreement
Google Workspace Email, Drive, calendar Cloud Data Processing Addendum (activated in admin)
Tripletex / Visma / PowerOffice Payroll, employee and customer data Standard data processing agreement from the vendor
Slack / Microsoft Teams Internal communications, files Covered by the platform's main agreement
HubSpot / other CRM Customer and prospect data Separate DPA, often signed digitally
Zendesk / support tools Customer enquiries, contact details Separate DPA
Stripe / payment services Payment and customer data Separate DPA (often also an independent controller role)
Notion / file sharing Documents that may contain personal data Separate DPA, accepted at account level

An important exception: Stripe and certain payment services often act as an independent controller for parts of the data processing (for example fraud prevention), not merely as a processor. Different rules apply than those under Article 28. Read what the agreement actually says about their role, and do not assume every relationship is a pure processor arrangement.

You do not need a data processing agreement with vendors that do not process personal data on your behalf: a utility provider, a hardware retailer you buy a server from, or a consultant delivering an anonymised analysis. The distinction rests on whether they process personal data on your behalf, not on whether you have a supplier relationship.

Person working with contracts and documents on a laptop – illustration for reviewing data processing agreements
Photo: Austin Distel / Unsplash

Sub-processors: the chain you easily overlook

Almost no SaaS vendor operates everything in-house. They use cloud providers underneath, often AWS, Microsoft Azure, or Google Cloud, and possibly support services for email, analytics, or customer support. These are sub-processors, and GDPR Article 28(2) requires that you have approved their use.

Approval can be given in two ways. Specific approval means you approve each sub-processor individually. General approval means you agree that the vendor may use sub-processors, provided they notify you of changes so you can object. Most modern SaaS agreements use the general model and publish an updated list of sub-processors online.

Practically speaking: find the vendor's sub-processor list (search for the vendor name plus "subprocessors"), review where data is processed, and document that you have accepted the list. If a sub-processor processes data outside the EEA, that ties into the Schrems II question in the next section.

Schrems II and US SaaS services

The data processing agreement under Article 28 governs how data is processed. It says nothing about where data is stored. For vendors that process personal data outside the EEA – typically in the US – an additional layer applies: the transfer basis under GDPR Chapter 5.

The background is the Schrems II ruling of 2020, in which the Court of Justice of the EU invalidated the then-existing EU–US Privacy Shield. The reasoning was that US law (including FISA 702) gives US authorities access to data held by US vendors in a manner incompatible with GDPR. The replacement, the EU–US Data Privacy Framework from 2023, provides a formal basis for transfers to certified US companies, but the framework remains under legal challenge and could fall as its predecessors did.

For the data processing agreement, this means you should be able to document which basis each third-country transfer rests on. In practice, it is one of three:

For data you do not want to export at all, the alternative is an EU-hosted or self-hosted solution. This is particularly relevant for AI services, where it is tempting to paste customer data into an open ChatGPT or Copilot. Datafolka builds and operates Private AI solutions for SMBs that want the benefits of AI without sending customer data outside the EEA. That is not necessary for everyone, but it is a genuine consideration when you regularly process sensitive data.

Template: where to find a free data processing agreement

You rarely need to draft a data processing agreement from scratch. Good free templates exist, and for large vendors the agreement is already written.

What matters is not where the template comes from, but that it actually covers the eight clauses, that it is signed by both parties, and that you have it stored somewhere you can find it again. Datafolka is happy to help set up an extended template and a processor register tailored to your setup, available on request as part of an IT advisory review .

What happens if you don't have a data processing agreement

Missing a data processing agreement is a breach of GDPR Article 28 in itself, regardless of whether anything has gone wrong with the data. This does not mean you automatically face a fine, but it does mean you have an obvious shortcoming that will be noted if a case is ever opened.

The data processing agreement is also one of the first documents Datatilsynet requests during an inspection, precisely because it is easy to verify. Datatilsynet's decision register for 2024 shows that organisations with shortcomings in data security and vendor management received fines in the range of 150,000 to 250,000 kr. The University of Agder received 150,000 kr for inadequate data security in Microsoft Teams. Eidskog and Grue municipalities each received 250,000 kr for, respectively, a missing legal basis and a confidentiality breach. For private SMBs, it is more likely that a first-time case ends in an order to remedy the situation than in a direct fine, but a missing agreement counts against you in the overall assessment.

The sober conclusion: the risk of a large fine is real but low for an SMB that remedies shortcomings when asked. The risk of not having a basic document in place on the day a customer or Datatilsynet asks, however, is high if you have never set it up. And since the template is free and the work takes a few days, this is one of the cheapest compliance tasks you can close.

Next steps

Start with the mapping in the six-step list above. Most SMBs spend 3 to 5 days spread over a couple of weeks getting an overview of their processors, obtaining the agreements, and compiling everything in a register. After that, it is ongoing maintenance: no new SaaS vendor is brought into use before the agreement is in place.

If you would like a sparring partner to lead a privacy and vendor review over 1 to 2 days, we can help. It is typically a combination of IT advisory and IT security assessment in which we review your processors, check the agreements against the eight clauses, and set up the register together with you.

Send an email to Roy.Morken@Datafolka.no , and we will arrange a call.

Related reading on datafolka.no: Datatilsynet 2026 – what small businesses need to know , GDPR and privacy for small businesses and Private AI without data leakage .

Sources

Roy Morken, co-founder of Datafolka. The article is based on GDPR Article 28, Datatilsynet's guidance on data processing agreements, EDPB Guidelines 07/2020, and Datatilsynet's decision register, translated into practical language for Norwegian SMBs. No client data or anonymised cases were used. Last updated 28 May 2026.