Skip to content
Biscotti CMP
FeaturesPricing🔍 Cookie Check♿ Accessibility📦 DownloadsDocumentationBlog
Login
Home›Blog

AVV vs. DPA: Navigating the Nuances of Data Processing Agreements

July 7, 2026 · 15 min read

Quick Answer: AVV (Auftragsverarbeitungsvertrag) and DPA (Data Processing Agreement) refer to the same legally required contract under GDPR Article 28, the German term AVV is used in DACH-region jurisdictions, while DPA is the English-language equivalent used across most other EU member states and internationally. Both govern how a data processor handles personal data on behalf of a controller. Choosing the wrong framing, or skipping the agreement entirely, can expose your organization to significant regulatory penalties.

Key Takeaways

  • AVV is the German abbreviation for Auftragsverarbeitungsvertrag; DPA stands for Data Processing Agreement, they are functionally the same instrument under GDPR.
  • Both agreements are mandatory under Article 28 GDPR whenever a controller engages a processor to handle personal data.
  • The terminology difference is regional: AVV is standard in Germany, Austria, and Switzerland; DPA is used in English-speaking and most other EU contexts.
  • A valid agreement must cover subject matter, processing duration, data categories, data subject rights, sub-processor conditions, security measures, and audit provisions. [1]
  • Failing to have the correct agreement in place can result in supervisory authority investigations, fines, and contract disputes.
  • Cost to implement ranges from zero (using a vendor's standard template) to several thousand euros for custom legal drafting.
  • Some businesses operating across DACH and non-DACH markets legitimately use both terms in the same agreement for clarity.
  • A Consent Management Platform such as Biscotti CMP can support your broader GDPR compliance posture, but does not replace a properly executed AVV or DPA.

What Does AVV Stand For in Data Protection, and Is It the Same as a DPA?

AVV stands for Auftragsverarbeitungsvertrag, the German-language term for a Data Processing Agreement. In practical legal terms, an AVV and a DPA are the same document, both satisfy the requirement set out in Article 28 of the GDPR for a written contract between a data controller and a data processor. [1]

The distinction is purely linguistic and jurisdictional. German, Austrian, and Swiss data protection practitioners use AVV as the standard term in contracts, privacy policies, and regulatory correspondence. English-speaking practitioners and most other EU member states use DPA. When a German SaaS vendor offers you an "AVV," they are offering the same legal instrument that a UK-based vendor would call a "DPA."

Key clarification: Neither term implies a different legal standard. Both must meet the same GDPR Article 28(3) content requirements to be valid. [1]


What Is the Difference Between AVV and DPA?

The difference between AVV and DPA is terminological, not substantive. Both describe the contract mandated by GDPR Article 28 between a data controller (the entity that determines the purpose and means of processing) and a data processor (the entity that processes data on the controller's behalf).

Where genuine differences can emerge is in drafting style and local regulatory guidance:

  • German supervisory authorities (Datenschutzbehörden) have published specific template clauses and guidance notes that AVV documents often incorporate.
  • English-language DPAs drafted for UK or Irish jurisdictions may reference national implementing legislation alongside GDPR.
  • Swiss AVVs must also account for the revised Federal Act on Data Protection (revFADP), which diverges from GDPR in certain respects.

Bottom line: If a vendor sends you an AVV and you need a DPA, you have received what you need, provided the content meets Article 28(3) requirements. [1]


When Do You Need an AVV vs. a DPA?

You need one of these agreements any time your organization shares personal data with a third-party service provider that processes that data on your instructions. The trigger is the controller-processor relationship, not the language of the contract.

Use an AVV when:

  • Your counterparty is based in Germany, Austria, or Switzerland and their standard contract uses that terminology.
  • Your own organization operates under German data protection law and your internal templates follow BfDI or state DPA guidance.

Use a DPA when:

  • Your counterparty operates in an English-speaking jurisdiction or uses English as the contract language.
  • You are contracting with a US-based cloud provider, a UK SaaS vendor, or any international processor whose templates default to "DPA."

Common mistake: Assuming that because a vendor calls their document an AVV rather than a DPA, different legal rules apply. The content requirements are identical under GDPR. What matters is substance, not the label on the cover page.


Who Needs an AVV and Who Needs a DPA?

Any organization that qualifies as a data controller under GDPR and engages a third party to process personal data on its behalf needs one of these agreements. This applies to:

  • E-commerce businesses using third-party payment processors or email marketing platforms.
  • Enterprises using cloud infrastructure providers (IaaS, PaaS, SaaS).
  • Online marketing agencies processing client customer data.
  • Developers building applications that handle end-user personal data via external APIs.
  • Website owners using analytics tools, CDNs, or CRM systems that process visitor data.

Organizations based in DACH markets will typically encounter the AVV label; those operating internationally will more often deal with DPAs. Both categories of organization face the same legal obligation.


What Should Be Included in an AVV vs. a DPA?

Both an AVV and a DPA must contain the same mandatory elements under GDPR Article 28(3). Missing any of these clauses renders the agreement non-compliant. [1]

Required Clause Description
Subject matter and duration What data is processed and for how long
Nature and purpose Why and how processing occurs
Data types and data subjects Categories of personal data and affected individuals
Controller's rights and obligations Instructions the processor must follow
Security measures Technical and organizational safeguards (TOMs)
Sub-processor conditions Rules for engaging downstream processors
Data subject rights assistance Support for access, erasure, portability requests
Breach notification Processor's obligation to notify controller of incidents
Data return or deletion What happens to data at contract end
Audit rights Controller's right to verify compliance

Edge case: If a vendor's template omits audit rights or sub-processor conditions, do not sign it as-is. These are non-negotiable under Article 28(3). [1]


How Much Does It Cost to Set Up an AVV or DPA?

Cost depends entirely on whether you use a vendor's standard template or commission custom legal drafting.

  • Vendor-provided template (most common): Free. Most major SaaS and cloud providers publish a standard AVV or DPA that controllers can accept online or via a click-through process.
  • Negotiated custom agreement: Legal fees typically range from 500 to 5,000 euros depending on complexity, jurisdiction, and counsel rates. Enterprise contracts with significant data volumes or sensitive data categories sit at the higher end.
  • Internal template development: A one-time investment of legal counsel time to create a reusable template; ongoing cost is minimal.

Practical note: For most SMEs and website owners, the vendor's standard template is sufficient. Custom negotiation is warranted when processing involves special category data (health, biometric, financial) or when the controller bears significant liability exposure.


How Do AVV and DPA Requirements Differ by Country?

Under GDPR, the substantive requirements are harmonized across all EU member states, so the core content of an AVV and a DPA is identical whether you are in Berlin, Paris, or Warsaw. However, national-level nuances exist:

  • Germany: The BfDI and state-level DPAs have issued detailed guidance and model clauses. German AVVs often include more granular technical and organizational measures (TOMs) documentation.
  • Switzerland: The revFADP (effective September 2023) imposes additional requirements beyond GDPR, including specific provisions for cross-border data transfers and data breach notification timelines.
  • UK (post-Brexit): UK GDPR applies; DPAs must reference the UK ICO's guidance rather than EU supervisory authorities. Standard contractual clauses differ from EU SCCs.
  • Other EU member states: GDPR Article 28 applies directly; local DPA guidance may supplement but cannot reduce the minimum requirements.

Choose the governing law clause carefully. A German-law AVV and an Irish-law DPA may look similar but will be interpreted by different courts and supervisory authorities.


Can You Use an AVV Instead of a DPA, or Use Both at the Same Time?

Yes, an AVV can substitute for a DPA because they are legally equivalent instruments. A company operating across DACH and non-DACH markets may include both terms in the same contract header (e.g., "Data Processing Agreement / Auftragsverarbeitungsvertrag") to avoid confusion, this is common practice in bilingual enterprise contracts and is entirely permissible.

Using both labels simultaneously does not create two separate legal obligations. It simply ensures that German-speaking and English-speaking parties understand they are looking at the same document.


What Are Common Mistakes When Choosing Between AVV and DPA?

The most consequential mistakes are not about which term you use, but about what the agreement contains and whether it exists at all.

  • Skipping the agreement entirely because a vendor relationship feels informal or low-risk. Under GDPR, the obligation is triggered by the act of processing, not by perceived risk level.
  • Accepting an incomplete template that omits sub-processor clauses or audit rights, believing the vendor's version is automatically compliant.
  • Conflating a DPA with a data sharing agreement. A DPA governs processor relationships; a data sharing agreement governs joint controller or controller-to-controller data exchanges. These are different instruments.
  • Failing to update agreements when a processor engages new sub-processors or changes the nature of processing.
  • Assuming GDPR compliance covers Swiss law. Organizations with Swiss data subjects must ensure their AVV also satisfies revFADP requirements.

What Are the Legal Consequences of Getting AVV vs. DPA Wrong?

Failing to have a valid, complete agreement in place exposes both controllers and processors to regulatory and civil liability.

Under GDPR Article 83(4), infringements of Article 28 (the DPA/AVV requirement) can result in administrative fines of up to 10 million euros or 2% of global annual turnover, whichever is higher. Supervisory authorities in Germany have demonstrated willingness to investigate and fine organizations for missing or deficient processing agreements.

Beyond fines, consequences include:

  • Supervisory authority audits and corrective orders.
  • Inability to enforce contractual terms against a non-compliant processor.
  • Civil liability exposure if a data breach occurs without a valid agreement documenting security obligations.
  • Reputational damage in B2B contexts where enterprise clients conduct vendor due diligence.

How Do You Know Which Agreement Your Business Actually Needs?

The decision is straightforward once you identify the relationship and the jurisdiction.

Step 1: Determine whether your organization is the controller (you decide why and how data is processed) or the processor (you process data on someone else's instructions).

Step 2: Identify the language and jurisdiction of your counterparty. If they are in the DACH region, expect an AVV. If they are elsewhere, expect a DPA.

Step 3: Verify that whichever document you receive contains all ten mandatory elements under Article 28(3) GDPR. [1]

Step 4: If your organization also needs to manage user consent for cookies and tracking technologies, a Consent Management Platform like Biscotti CMP addresses that layer of GDPR compliance, but it operates alongside, not instead of, a properly executed AVV or DPA.

Decision rule: If you process personal data on behalf of another organization, you need a DPA or AVV regardless of what the relationship is called commercially. If another organization processes data on your behalf, you are responsible for ensuring that agreement is in place before processing begins.


FAQ

Q: Is an AVV legally valid outside Germany? An AVV is legally valid anywhere GDPR applies, provided it meets Article 28(3) content requirements. The German terminology does not limit its enforceability in other EU jurisdictions.

Q: Does a DPA need to be signed by both parties? Yes. GDPR Article 28(9) requires the agreement to be in writing, which includes electronic form. Both controller and processor must be bound by its terms.

Q: Can a vendor's online click-through DPA satisfy GDPR requirements? Yes, if the content meets Article 28(3) requirements. Many major cloud providers offer compliant click-through DPAs that have been reviewed by supervisory authorities.

Q: What is a sub-processor, and why does it matter in a DPA or AVV? A sub-processor is a third party engaged by the processor to carry out processing activities. The DPA or AVV must specify conditions under which sub-processors can be engaged, including the controller's right to object. [1]

Q: Do I need a new AVV or DPA every time a processor updates its sub-processor list? Not necessarily. Many agreements include a general authorization for sub-processor changes, provided the processor notifies the controller and the controller retains the right to object within a specified period.

Q: Does a DPA cover data transfers outside the EU? A DPA governs the processing relationship but does not by itself authorize cross-border data transfers. Separate transfer mechanisms (Standard Contractual Clauses, adequacy decisions) are required for transfers to third countries.

Q: How long should a DPA or AVV be retained? Retain the agreement for the duration of the processing relationship and for a reasonable period afterward, typically at least three to five years, to demonstrate compliance in the event of a supervisory authority inquiry.

Q: What is the difference between a DPA and a DPIA? A DPA (Data Processing Agreement) is a contract between controller and processor. A DPIA (Data Protection Impact Assessment) is an internal risk assessment required for high-risk processing activities. They serve different purposes and neither substitutes for the other.

Q: Can a freelancer or small agency be required to sign an AVV or DPA? Yes. The obligation applies regardless of the processor's size. A freelance developer handling client customer data is a processor and must sign a DPA or AVV with each client controller.

Q: Does Biscotti CMP replace the need for a DPA or AVV? No. Biscotti CMP is a Consent Management Platform that helps manage user consent for cookies and tracking, a separate GDPR compliance requirement. A DPA or AVV is still required for any processor relationship involving personal data.


Conclusion

The AVV vs. DPA question resolves quickly once you recognize that both terms describe the same legally required instrument under GDPR Article 28. The real challenge is not choosing between them, it is ensuring that whichever document governs your processor relationships contains every mandatory clause, is properly executed, and is kept current as processing activities evolve.

Actionable next steps:

  1. Audit all current vendor relationships to confirm a valid DPA or AVV is in place for each processor handling personal data on your behalf.
  2. Review existing agreements against the ten mandatory elements of Article 28(3) GDPR and request amendments for any gaps. [1]
  3. If operating in Switzerland, verify that agreements also satisfy revFADP requirements beyond the GDPR baseline.
  4. Establish an internal process for onboarding new processors, no processing should begin before the agreement is signed.
  5. For consent management and cookie compliance on your website or application, evaluate Biscotti CMP as part of your broader GDPR compliance framework.

Data protection compliance is not a one-time project. Agreements need to be reviewed when processing changes, when sub-processors are added, and when regulatory guidance evolves. Building that review cadence into your compliance program is the most practical safeguard against regulatory exposure.


References

[1] Data Processing Agreement - https://erp-software.org/en/glossary/data-processing-agreement/?utm_source=openai


← Back to blog
Biscotti CMP

Consent Management and Legal Text Generator by Campcruisers GmbH (Falkensee). Can support your website compliance.

Product

🏢 About UsFeaturesPricingDocumentation🔍 Cookie Check📦 Downloads📚 Privacy & Consent Knowledge Base📝 Blog📖 Cookie Consent & Privacy Glossary🌍 Jurisdictions♿ WCAG 2.2 Accessible Consent Banner

Legal

ImprintPrivacy PolicyTerms of ServiceRight of WithdrawalDPACookie Policy

Contact

Contact
© 2026 Biscotti – A service of Campcruisers GmbH🍪 Change cookie settings