Which services on my website need a data processing agreement?

Any third-party service that processes personal data on your behalf needs a DPA under GDPR Article 28. This includes analytics tools (Google Analytics), email platforms (Mailchimp), hosting providers, CRM systems and booking tools. In Dutch this contract is called a verwerkersovereenkomst.

Do I need a DPA with Google Analytics?

Yes. Google Analytics processes personal data on your behalf. Google provides a standard Data Processing Amendment that you must accept in your Google account settings. Running GA4 without accepting this amendment is non-compliant with Article 28 GDPR.

What is the difference between a data processor and a data controller?

You are the data controller. You decide why and how personal data is processed. A data processor processes data on your documented instructions. The distinction determines who is responsible for what under GDPR.

What is the Dutch term for a data processing agreement?

The Dutch term is verwerkersovereenkomst. The Autoriteit Persoonsgegevens (AP) uses this term in its guidance on Article 28 AVG. AVG is the Dutch acronym for the GDPR.

GDPR & Privacy

Data Processing Agreement for Websites: A Dutch SMB Guide

Steven | TrustYourWebsite · 6 April 2026 · Last updated: May 2026

The decision rule in one sentence. If a third-party service touches the personal data of your visitors or customers, you need a written data processing agreement (in Dutch: verwerkersovereenkomst) with that vendor under Article 28 of the GDPR. That covers three common categories on almost every Dutch SMB website: analytics, hosting and email or marketing tools.

The Autoriteit Persoonsgegevens (AP) treats a missing or deficient verwerkersovereenkomst as an aggravating factor during AVG investigations. Booking.com was fined 475,000 euro by the AP in 2021, partly because of late breach reporting that involved a processor.

This guide explains who counts as a processor, which services usually require a DPA and what the agreement must contain. If you want to know whether your own site has missing DPAs and other gaps, run a free DPA gap check on your site.

Controller vs Processor in 30 Seconds

You are the data controller when you decide why personal data is collected and how it is used. The names, email addresses and purchase history of your customers belong to you as controller.

A third party is a data processor when it processes personal data only on your documented instructions. The processor acts as a service provider. It does not reuse the data for its own purposes.

Independent controllers are different. They receive your visitors' data and use it for their own purposes. You are not their controller. Examples are delivery companies that hold their own relationship with the customer, payment processors that run their own fraud detection and social media platforms that receive data via pixels for their own advertising.

The distinction matters because:

Data processors: you need a verwerkersovereenkomst and you stay responsible
Independent controllers: you need to disclose the data sharing in your privacy policy but they are responsible for their own processing

Common Website Services: Processor or Controller?

Service category	Relationship	DPA required
Web hosting or server provider	Processor	Yes
Google Analytics	Processor	Yes
Email marketing (Mailchimp, ActiveCampaign)	Processor	Yes
Booking or reservation system (Formitable)	Processor	Yes
CRM system	Processor	Yes
Support chat tool (Intercom, Crisp)	Processor	Yes
CDN (Cloudflare, AWS CloudFront)	Processor	Yes
Search (Algolia)	Processor	Yes
Payment provider (Stripe, Mollie)	Both	Partial. Fraud handling is independent controller
Delivery or shipping company	Independent controller	No DPA. Disclose in privacy policy
Facebook Pixel	Independent controller	No DPA. Consent still required
Thuisbezorgd or Uber Eats	Independent controller	No DPA. Disclose data sharing
Accountant with access to your books	Processor	Yes
IT support with system access	Processor	Yes

Where to Find DPAs for Common Services

Most major SaaS platforms publish a standard DPA. You typically accept it in account settings or by agreeing to updated terms of service.

Google Analytics or Google Workspace. Google publishes a Data Processing Amendment. You accept it in Google account settings, Data Processing Terms.

Mailchimp. The Mailchimp DPA is incorporated into its Terms of Service. You can review it in your account settings.

Stripe. Stripe offers a Data Processing Agreement on its legal page. Stripe is both a processor (for your billing) and an independent controller (for fraud and risk management).

Mollie. Mollie provides a standard DPA for Dutch merchants in the merchant portal.

Cloudflare. Cloudflare includes DPA terms in its service agreement. Enterprise plans add a separately signed DPA.

Hosting providers (TransIP, Antagonist, Siteground). Dutch and EU-based hosting providers usually include DPA terms in their service agreements or send a separate DPA on request.

If a service provider does not offer a DPA and still processes personal data on your behalf, that is a red flag. You cannot lawfully use that service for EU personal data.

Whether you sign a vendor's standard DPA or negotiate your own, the contract must set out the items below. These map directly to the canonical Article 28 text on EUR-Lex.

#	Required item	Plain-English meaning
1	Subject matter and duration	What data is processed and for how long
2	Nature and purpose of processing	What the processor does with the data and why
3	Type of personal data	Names, email addresses, IP addresses, health data
4	Categories of data subjects	Your customers, visitors, employees
5	Controller obligations and rights	What you can instruct the processor to do
6	Documented instructions only	The processor acts only on your instructions
7	Confidentiality and security	Staff bound by confidentiality, Article 32 measures
8	Sub-processor controls and assistance	Prior authorisation, back-to-back terms, help with rights requests, deletion at end of contract

Sub-processors

A sub-processor is a third party that your processor uses to process your data. Example: Mailchimp uses AWS to host its servers. AWS is the sub-processor for your data.

The DPA must specify:

Whether you give general or specific authorisation for sub-processors
What notification the processor must send when it changes a sub-processor
That the processor must impose the same data protection obligations on every sub-processor

Most SaaS DPAs include a list of approved sub-processors and a commitment to notify you before adding a new one.

Booking and Reservation Systems (Hospitality Notes)

If you run a restaurant, hotel or other hospitality business that uses an online booking system, that platform is almost certainly your data processor. Guests submit their names, phone numbers and sometimes dietary requirements. The booking system processes all of it on your behalf.

Examples and DPA status:

Formitable or Zenchef. Merged in 2023, serving 25,000 or more restaurants. DPA available in account settings.
OpenTable. Acts as processor for restaurant bookings. DPA incorporated in its terms.
Resengo. Dutch booking platform. DPA available on request.

Check whether your booking system's DPA covers the specific data you collect. Dietary requirements and allergy notes count as health data under Article 9 GDPR and need stricter handling.

When You Are the Sub-processor

If you build websites, run social media or sell digital services on behalf of clients, you may yourself be a data processor. You process your clients' customers' data. Your clients need a verwerkersovereenkomst with you. If they do not provide one, offer one yourself. That protects both parties.

AP Enforcement Signals

The Autoriteit Persoonsgegevens does not publish a public register of fines for missing DPAs alone. It treats DPA gaps as part of a wider investigation. Two signals matter for Dutch SMBs:

The AP published guidance on verwerkersovereenkomsten for organisations to follow.
The 475,000 euro Booking.com fine involved a late breach report linked to a processor. A clear DPA would have set the notification timing in advance.

The lesson for small businesses: a missing DPA rarely triggers a standalone fine, but it raises the cost of any breach or complaint that does land at the AP.

Practical Steps

List all third-party services that touch your website data
Classify each as processor, independent controller or joint controller
Locate the DPA for each processor (account settings or legal pages)
Accept or sign the DPA and keep a record (screenshot, email confirmation, signed document)
Add the processor to your internal verwerkingsregister and privacy policy
Review annually and after every change of vendor

For the full picture of GDPR obligations for your website, use our GDPR compliance checklist. To check the current state of your own site, start a free scan.

This article is technical analysis, not legal advice. Consult a lawyer for advice specific to your situation.

Share this article

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Start free check

Website Guides

GDPR Fines Netherlands: Real AP Cases | TrustYourWebsite

GDPR fines in the Netherlands: real cases and amounts from the Dutch DPA (AP), including Uber, Booking.com, TikTok and Kruidvat.

Cookie Banner Required in NL: What the AP Enforces in 2026

A cookie banner is required in the Netherlands once your site sets non-functional cookies. What the AP enforces in 2026 and how to test compliance.

Website Trust Check: Free GDPR & Security Scan in 60 Seconds

Check your website free for GDPR violations, cookie issues, security and accessibility. Results in 60 seconds, no account required.

Dutch Privacy Policy: 10-Step GDPR Guide

Privacy policy requirements for Dutch websites: 10 steps under the GDPR, what each section must contain, common AP findings, scanner check.

Dutch Privacy Policy: 14 GDPR Required Elements

Under GDPR Articles 13 and 14, Dutch sites collecting personal data need a privacy policy. 14 mandatory elements and what the AP checks.