What a Data Processing Agreement Means for Solo Consultants

A solo consultant signs a contract with a new client. Buried on page four, in small grey text, sits a line about a “Data Processing Agreement to be executed within 30 days.” The client asks for a signed copy by Friday. Most freelancers freeze at this point, copy a template off Google, swap a few names, and send it back. That is the moment GDPR enforcement risk gets quietly transferred from a Fortune 500 legal team to one person working from a kitchen table in central France.

A Data Processing Agreement, or DPA, is not optional paperwork. It is a contract required by Article 28 of the GDPR every time a freelancer processes personal data on behalf of a client. Skipping it does not mean a fine on day one. It means that on the day a problem surfaces, the freelancer has no contractual shield. This explainer breaks the document down in plain English, points out the four clauses that matter for solo work, and ends with a clear recommendation on when a freelancer actually needs to push back. We follow our standard methodology for any GDPR explainer: source from regulator guidance, cross-check against current vendor practice, and translate into freelancer-grade language.

What a DPA actually is, in plain English

A Data Processing Agreement is a written contract between two parties: a controller, who decides what happens to personal data, and a processor, who handles the data on behalf of the controller. In freelancer terms, the client is almost always the controller and the freelancer is almost always the processor. The agreement spells out what data the freelancer can touch, what they can do with it, how long they can keep it, and what happens if something goes wrong.

The GDPR makes the contract mandatory under Article 28, paragraph 3 (per the GDPR text published by the European Commission, retrieved 2026-06-04). The contract must exist in writing, including electronic form. A casual mention in an email chain does not count. A signed Statement of Work that references data handling does not, on its own, count either. Regulators expect a standalone or clearly identifiable section that maps directly to the eight required topics: subject matter, duration, nature and purpose of processing, type of personal data, categories of data subjects, obligations of the controller, security measures, and sub-processor rules.

Plain-English translation of those eight topics:

• Subject matter: what work is being done that involves personal data
• Duration: how long the work lasts, and what happens to data at the end
• Nature and purpose: why the freelancer is touching the data at all
• Type of personal data: names, emails, financial records, health data, biometric data, and so on
• Categories of data subjects: clients, customers, employees, patients, students
• Controller obligations: what the client must give the freelancer (lawful basis, instructions)
• Security measures: encryption, access controls, backup practices
• Sub-processor rules: which third-party tools the freelancer is allowed to plug in

The document does not need to be twenty pages of legalese. A clean DPA for a solo consultant running a single workflow can be three to four pages. Length is not the issue. Coverage of all eight topics is.

What this means for solo freelancers

For a one-person operation, the DPA shifts from “compliance paperwork the client lawyer drafts” to “a document that decides where contractual liability lands when something goes wrong.” Based on the regulation as written, three concrete risk scenarios apply directly to solo work.

Scenario one. A freelance virtual assistant manages a client inbox using a Gmail add-on. The add-on transmits message snippets to a US server for AI categorization. Without a DPA naming that add-on as an approved sub-processor, the freelancer has just transferred client personal data to an unlisted third party. If the client gets a regulator question or a customer complaint, the freelancer has no contractual cover for the transfer and may absorb the entire liability tail.

Scenario two. A freelance copywriter pastes a client’s customer testimonial list into ChatGPT to rewrite product descriptions. Customer testimonials contain personal data: names, sometimes employer or location. If the freelancer’s DPA does not authorize use of generative AI tools, or contradicts the client’s published AI policy, the freelancer is in breach. The breach is not “GDPR-illegal” as a categorical statement, but based on the contract as written, the freelancer is exposed.

Scenario three. The freelancer’s laptop gets stolen at a coffee shop. The disk is not encrypted. Client emails, drafts, and exported reports sit on the drive in plain form. If the DPA committed to “industry-standard security measures including full-disk encryption,” the freelancer is now in breach of the security clause. Notification obligations under Article 33 kick in: the client must be told without undue delay, typically within 24 to 48 hours so the controller can meet their own 72-hour regulator deadline.

None of these scenarios are hypothetical edge cases. They are the daily reality of solo work, and the DPA is the only document that defines who carries the cost when they occur.

The four clauses that decide everything

Most DPAs follow a similar skeleton, but four clauses do nearly all the heavy lifting. A solo consultant who reads only these four clauses before signing is in better shape than one who skims the full document.

Sub-processor authorization. This clause names which third-party tools the freelancer can use. Generic language like “the Processor may engage sub-processors with prior written consent” is workable. Restrictive language like “the Processor shall not engage any sub-processor without prior written authorization from the Controller for each instance” makes routine work, like switching from Otter to Fireflies for transcription, impossible without a contract amendment. Solo freelancers should negotiate for a named list with a notice-of-change mechanism rather than per-instance approval.

Audit rights. The standard clause grants the controller a right to audit the processor’s compliance, sometimes with 30 days’ notice, sometimes with the right to bring third-party auditors. For a solo operation, a full on-site audit is operationally impossible and financially ruinous. Acceptable language for solo work caps audits at one per year, allows remote audits by document review, and requires the controller to bear all audit costs. Reject open-ended audit clauses without these caps.

Liability cap and indemnification. Boilerplate DPAs often contain unlimited indemnification by the processor for any GDPR-related claim. For an enterprise vendor with insurance and legal reserves, this is annoying but survivable. For a solo consultant with no errors and omissions coverage, an uncapped indemnity clause can mean personal bankruptcy from a single client breach. Negotiate a cap, typically tied to twelve months of fees paid, or carve out any harm caused by the controller’s own instructions.

Data return or deletion at end of contract. The clause typically requires return or deletion of all personal data within 30 days of contract end. Two practical traps: backups, and tools that auto-archive. If the freelancer uses cloud backup software that keeps 90-day snapshots, the freelancer is technically holding data past the 30-day window. Acceptable language acknowledges backup retention windows up to 90 days with continued protection of the data during that time. Push for that wording.

How to handle the DPA conversation as a solo consultant

When a client sends a template DPA, three things should happen in sequence before signature:

• Read the four clauses above first. If any of them are uncapped or otherwise impossible for a one-person operation, mark them up.
• Send back the marked-up version with proposed changes before signing, attached to a short note explaining the solo-scale reasoning.
• Wait for a counter-proposal or signed acceptance. Most clients accept reasonable solo-scale modifications because the alternative is delaying the project.

Do not sign first and renegotiate later. The leverage disappears the moment the signature is on the page.

When a client has no DPA and asks the freelancer to draft one, do not download a generic template from a search engine and substitute names. The published templates from regulators are a better starting point. The European Commission publishes Standard Contractual Clauses that include processor-to-controller modules. The UK Information Commissioner’s Office publishes a model DPA built for small businesses. Both are free, both pass regulator scrutiny by default, and both are easier to defend than a template from a SaaS vendor’s blog.

When the freelancer plugs in a new tool, like switching from Otter to Granola for meeting transcription, check the sub-processor clause first. If the existing DPA does not authorize the new vendor by name, send a one-paragraph notice to the controller with the vendor name, the new sub-processor’s region, and a link to their privacy policy. Keep a dated record. This is the single most overlooked obligation in solo work, and the single easiest one to comply with.

A separate registry of every DPA the freelancer has signed, each tool covered, and each sub-processor declared turns what looks like compliance burden into a defensible audit trail.

Privacy-friendlier tools that simplify DPA compliance

Tool choice changes the DPA conversation directly. Some vendors publish standardized DPAs that solo consultants can append to client contracts by reference. Others demand custom negotiation. Three categories of tools materially reduce the friction.

Encrypted email and cloud storage. Proton publishes a standard DPA that solo consultants can attach to a client contract by reference. Proton Mail, Proton Drive, and Proton Pass are EU-hosted with end-to-end encryption. Pricing for Proton Unlimited is around 10 to 13 dollars per month. For a freelancer in central France handling EU client data, the data-residency story is already half-built before the DPA conversation starts.

Password and secret management. Bitwarden and 1Password both publish enterprise-grade DPAs that solo users can request. Bitwarden Teams starts at three dollars per user per month. 1Password Business starts at eight dollars. Either tool, configured with strong master password and two-factor authentication, satisfies the “appropriate technical and organizational measures” language that nearly every DPA requires.

Private mesh networking. Tailscale replaces the “I VPN into the client’s office network” workflow with a private mesh that the freelancer controls end-to-end. The free tier covers most solo operations. Tailscale publishes a DPA covering data residency and access logs. For freelancers whose DPA requires “access to client systems through controlled, auditable channels,” Tailscale is the cheapest path to that compliance language.

A hardware step that often pays off: a YubiKey 5C NFC sitting on the freelancer’s desk. Sub-30-dollar hardware key that satisfies the multi-factor authentication clause across nearly every major tool, including all three categories above. Buying two for backup is a 60-dollar move that prevents a lockout disaster.

[INTERNAL_LINK_TO_CLUSTER_gdpr-solo] [INTERNAL_LINK_TO_CLUSTER_freelancer-cybersec]

The bottom line

FAQ

Do I really need a DPA as a one-person freelance operation?

If you process personal data on behalf of a client, then yes, based on Article 28 GDPR as written. The regulation makes no exemption for small processors. A freelance copywriter rewriting customer testimonials, a virtual assistant managing a client inbox, a bookkeeper processing employee payroll: all three need a DPA in place before work starts. The risk is not a same-day fine, it is being personally liable when a breach surfaces.

Can I use a free DPA template I find on Google?

A template is a starting point, not a finished document. Templates from regulators (European Commission Standard Contractual Clauses, UK ICO model DPA) are safer starting points than templates from SaaS vendor blogs. Either way, the four core clauses (sub-processor authorization, audit rights, liability cap, data deletion timing) need to be reviewed against your actual workflow before signing. A blind copy-paste is worse than no DPA, because it commits you to terms you cannot actually meet.

What happens if I sign a DPA and then violate it accidentally?

A breach of the DPA is a breach of contract first, and a regulatory question second. The client can terminate the contract, claim damages under the indemnification clause, or demand corrective action. If the breach also constitutes a GDPR breach (data lost, data shared with unauthorized parties), Article 33 notification obligations kick in. Practical advice based on the contract as written: notify the client within 24 hours of discovering an incident, even if you are not 100% sure it qualifies as a breach. Late notification compounds liability far more than the breach itself.

Does a DPA cover sub-processors like my AI transcription tool?

Only if the DPA names them or authorizes a class of sub-processors. The standard clause requires written authorization for any sub-processor. If your DPA names Otter but you switched to Granola last month, you are technically in breach. Send a notice to the controller before the switch, document the consent, and keep a dated registry of every authorized sub-processor per client. This is the single most overlooked obligation in solo work.

What is the difference between a DPA and a regular NDA?

An NDA covers confidentiality of business information generally. A DPA covers personal data specifically under GDPR. They are not interchangeable. A client may ask for both: the NDA protects their trade secrets, the DPA protects the personal data of their customers and employees. Both can sit in the same contract package, but the legal obligations are distinct.

How long does a DPA need to be retained after the contract ends?

Standard practice is to retain the signed DPA for the duration of any applicable statute of limitations on related claims, typically three to six years depending on jurisdiction. Retention of the DPA itself does not violate any clause about returning or deleting the personal data the DPA covered. Keep the contract, delete the data per the agreed window.

Sources

• European Commission, GDPR full text Article 28: https://gdpr-info.eu/art-28-gdpr/ (retrieved 2026-06-04)
• European Commission, Standard Contractual Clauses for controllers and processors: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en (retrieved 2026-06-04)
• UK Information Commissioner’s Office, Contracts and liabilities between controllers and processors guidance: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/contracts-data-sharing-and-licensing/contracts/ (retrieved 2026-06-04)
• CNIL guidance for processors (France): https://www.cnil.fr/en/gdpr-developers-guide-tool-3-base-development-your-processing-activities (retrieved 2026-06-04)
• European Data Protection Board, Guidelines 07/2020 on the concepts of controller and processor: https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en (retrieved 2026-06-04)

---

Reviewed by Jérémy, founder of AidTaskPro and GreenBudgetHub. Based in central France. Guidance sourced from publicly available regulator documentation and Article 28 GDPR as of June 4, 2026. This explainer is not legal advice. For binding interpretation of how a specific DPA applies to a specific workflow, consult a qualified data protection lawyer in your jurisdiction.