DPA (Data Processing Agreements) for Businesses with EU Clients | KVKK & GDPR - Simple Guide

If you process personal data through a vendor/system (CRM, cloud, support, marketing, etc.), you likely need a DPA (Data Processing Agreement). This article explains what a DPA is, who needs it, how to draft one in 5 steps with examples, common mistakes, and a 60-second checklist. Our baseline is Turkish Personal Data Protection Law No. 6698 ("KVKK"); if you work with EU-resident individuals or receive EU visitors to your site, we also summarize the key GDPR differences in plain English.

1) What is a Data Processing Agreement (DPA)

A DPA is a short written contract that says: “If you process my data on my behalf, here are the rules.”Its purpose is to make clear what personal data is processed, by whom, with which security measures, and for how long.

2) Who needs a Data Processing Agreement (DPA)?

The rule of thumb: If a vendor accesses personal data on your behalf—whether it belongs to your customers, employees, or end users—you should have a DPA in place.

Typical scenarios

• Cloud/CRM: Customer records in HubSpot/Zoho, etc.

• Email & marketing: Mailchimp/Sendinblue; ad agency sets pixels/cookie tracking.

• Support & ticketing: Zendesk/Freshdesk can see names and emails.

• Payroll/HR: Outsourced payroll, recruiting tools, performance software.

  
  

3) Drafting a Data Processing Agreement (DPA) - in 5 steps

Step 1 — Inventory: List what data (name, email, phone, etc.), which vendor, and for what purpose.

Step 2 — Scope & instructions: “Only for [support/reporting]; you may not use it for your own purposes.”

Step 3 — Security (TOMs): Access control, encryption, backups, logs, periodic testing.

Step 4 — Sub-processors: If the vendor adds infrastructure/sub-contractors, notify first and flow down the same protections.

Step 5 — Exit: At the end of the engagement, require return/deletion and proof of deletion (report/log).

4) Sample Data Processing Agreement (DPA) clauses

• Purpose & Instructions: “The Processor shall process Personal Data only for [support/reporting] and only on the Controller’s written instructions.”

• Security“The Processor implements access control, encryption, backups, and event logging, and provides evidence of these measures upon request.”

• Sub-processors“The Processor shall give [15] days’ prior written notice before appointing any Sub-processor and shall flow down equivalent obligations.”

• Deletion/Return“Upon termination, the Processor shall return or delete the data within [30] days and document the deletion in writing.”

• Audit“The Controller may request one document-based audit per year (e.g., ISO/SOC reports) and, where reasonable, conduct on-site audits.”

5) KVKK-based DPA's practical notes (Turkey context)

• In your privacy notice, name the types of vendors you use and their purposes.

• Define a schedule and method for erasure, destruction, and anonymisation, and request evidence.

• If there is a cross-border transfer, plan the legal basis and contract addenda (e.g., for EU-related projects).

• Prefer document-based verification (ISO 27001, SOC 2) over on-site audits where practical.

  
  

6) Businesses with EU Clients. Do you process data of EU-resident individuals?

If you offer goods/services to the EU or track EU visitors (marketing cookies/analytics), the EU’s rules (GDPR) may also apply. Key practical differences:

• Cookies: Marketing/tracking cookies may require prior consent with a preference panel.

• Contracts: DPAs with vendors are a must; require sub-processor notices and deletion evidence.

• Transfers: For EU→Turkey data flows, use additional contract addenda and simple risk controls (e.g., vendor list, encryption).

• No EU touchpoint?A KVKK-based DPA is generally sufficient.

  
  

7) Top 5 mistakes (and fixes)

• Assuming ToS = DPA → Add a short DPA appendix.

• Forgetting deletion/return → Specify a deadline and proof.

• Ignoring sub-processors → Maintain a list + change notices + right to object.

• Audits only on paper → Add “one document-based audit per year”.

• Drafting without a data inventory → First build a table: data type/purpose/vendor/retention.

  
  

8) The 60-second Data Processing Agreement (DPA) Checklist

•  Vendor–data–purpose table ready

•  Scope & written instructions defined

•  Security annex attached

•  Sub-processor notice + equivalent protections

•  Return/delete on exit + proof

•  Annual document-based audit right (ISO/SOC)

•  If EU touchpoint: cookie consent + transfer addendum

  
  

FAQs

• Who signs the DPA? The Controller (you) and the Processor (your vendor).

• Separate DPA for each vendor? Yes—reuse the same template to move fast.

• Can the DPA be in English? Yes. For Turkish matters, specify governing law/jurisdiction and notification details.

• If I have no EU clients, does GDPR apply? Generally no. Without EU targeting/monitoring, a KVKK-based DPA is usually sufficient.

Av. Merih Okuyaz (Istanbul Bar Association No. 1)

Disclaimer: This content is for general information only and does not constitute legal advice.