Global Site
Argentina Aruba Barbados Bolivia Brazil Canada Cayman Islands Chile Colombia Costa Rica Curacao Ecuador El Salvador Guatemala Honduras Mexico Paraguay Peru Puerto Rico Saint Martin Suriname United States Uruguay Venezuela
Australia Cambodia China Hawaii Hong Kong India Indonesia Japan Macau Malaysia Maldives Mongolia Myanmar Nepal New Zealand Pakistan Philippines Singapore South Korea Sri Lanka Taiwan Thailand Vietnam
Albania Andorra Armenia Austria Azerbaijan Belgium Bulgaria Croatia Cyprus Czech Republic Denmark Estonia Finland France Georgia Germany Greece Hungary Ireland Italy Kazakhstan Kosovo Latvia Lithuania Luxembourg Malta Moldova Netherlands Norway Poland Portugal Romania Serbia Slovakia Slovenia Spain Sweden Switzerland Tajikistan Turkey Ukraine United Kingdom Uzbekistan
Algeria Angola Bahrain Egypt Ghana Israel Jordan Kenya Kuwait Lebanon Liberia Mauritius Morocco Mozambique Nigeria Oman Qatar Saudi Arabia Senegal Sierra Leone South Africa Tanzania Togo Tunisia Uganda United Arab Emirates Yemen
Contact Us
home Insights
Sunny street with a lot of people

Data processing agreement and PUODO fine for DPD – conclusions

3/17/2026
Sunny street with a lot of people
The latest decision by the President of the Personal Data Protection Office (PUODO), imposing a fine of over PLN 11 million on DPD Polska, once again highlights one of the fundamental, yet often overlooked, elements of the personal data protection system: the proper regulation of the relationship between the data controller and the processor. This case demonstrates that the lack of a properly concluded personal data processing agreement is not merely a formal infringement but can constitute a serious violation of the GDPR.

Data processing agreement

What will you learn from this article?

  • What is a data processing agreement under Article 28 of the GDPR and what elements must it contain for it to be considered effective?
  • Why is the chain of subcontractors (carriers, IT, marketing) the biggest challenge for maintaining the principle of accountability?
  • What is processor due diligence and why does a controller have an obligation to verify its business partners?
  • What specific steps should an entrepreneur take to avoid the errors identified in the supervisory authority's decision?

Data processing agreement

Entrusting data as a basis for legal processing by an external entity

According to Article 28 of the GDPR, a data controller may only use the services of a data processor if the processing is based on a contract or other legal instrument binding the parties. This document specifies, among other things, the subject matter and duration of processing, the nature and purpose of data processing, the type of personal data, and the categories of data subjects.

The purpose of a personal data processing agreement is to ensure the controller has real control over how the external entity processes data. In practice, this means precisely defining the processor's responsibilities, including the use of appropriate technical and organizational measures, rules for engaging subcontractors, and the obligation to support the controller in exercising the rights of data subjects.

Data processing agreement

The systemic problem with subcontractor-based models

In every industry, it is easy to encounter situations where multiple entities involved in providing a service gain access to personal data. In practice, these may include carriers, IT specialists, marketing agencies, warehouse operators, and delivery companies.

The PUODO's decision indicates that failure to properly regulate these relationships - especially in the case of a broad network of operational partners - may lead to a violation of the accountability principle set out in Article 5(2) of the GDPR. The controller remains responsible for demonstrating that personal data are processed in accordance with the regulations, regardless of the number of subcontractors involved in the process.

Data processing agreement

Entrustment agreement as an element of risk management

From a compliance and risk management perspective, a data processing agreement serves as a control tool. It should not only formally regulate data processing but also reflect actual business processes. This requires prior identification of all entities with access to data and an assessment of the scope of processing performed by each.

Processor due diligence - are also gaining increasing importance. A controller should be able to verify whether a given entity meets GDPR information security requirements and has appropriate organizational and technical measures in place.

Data processing agreement

Conclusions for entrepreneurs

The PUODO's decision serves as an important reminder that proper regulation of relationships with external entities is crucial in the personal data protection system. In practice, this means the need to:

  • identification of all processors having access to personal data,
  • concluding data processing agreements in accordance with the requirements of Article 28 of the GDPR,
  • monitoring how these agreements are implemented in practice,
  • ensuring control over any further sub-entrustment of data.

The DPD case demonstrates that the supervisory authority is increasingly focusing not only on security incidents but also on the proper organization of data processing processes. As a result, a properly constructed and implemented data processing agreement is becoming one of the fundamental tools for mitigating legal risk in business operations.

Secure your business with GDPR experts

Do not risk fines or reputational damage. From compliance audits and training to outsourcing DPO functions, we provide comprehensive support:

Ask for an offer