GDPR Art. 28 DPA (Data Processing Agreement) in Hotel RFPs (Plain English Definition + Examples)

Definition

GDPR Article 28 requires a written Data Processing Agreement between any controller (the planner organization) and any processor (the hotel) handling personal data — attendee names, dietary needs, accessibility requirements, room preferences. Without a signed DPA, the data transfer is non-compliant and the fine exposure is up to €20M or 4% of global revenue.

In day-to-day European event sourcing, gdpr art. 28 dpa sits inside a broader workflow that includes the brief, the longlist, the shortlist, the contract negotiation, and the post-event reconciliation. Understanding it in isolation is not enough — what matters is how it interacts with the other levers a planner can pull. The definition above is the textbook version; the sections below explain how it actually behaves in real RFPs.

Why GDPR Art. 28 DPA matters

Every group booking transfers personal data to the hotel. A DPA is not optional — it's a legal requirement since May 2018. Hotels increasingly have standard DPAs available, but planners must verify scope, retention periods, sub-processor lists, and breach-notification timelines (typically 24-72 hours).

The practical takeaway: planners and procurement teams who get gdpr art. 28 dpa right typically see measurable improvements in either cost, risk exposure, or cycle time — sometimes all three. Teams who default to the supplier's standard language usually leave 5-15% of total event value on the table, often without realizing it. The skill is recognizing gdpr art. 28 dpa when it appears, knowing the market-standard range, and treating any deviation from that range as a negotiation point — not a take-it-or-leave-it.

Example

A German enterprise's compliance team requires DPA-on-file before any hotel can join the PVL. A new property submits the chain's standard DPA; the legal team flags two issues (sub-processor list not provided, retention period unclear) and requires a marked-up version before approval. Process takes 6 weeks; without it, no bookings can be sent.

This example is representative of mid-to-large European corporate MICE — pharma, finance, tech, professional services. Smaller events (under 50 attendees) and very large events (1,000+) often follow different conventions, but the underlying logic of gdpr art. 28 dpa stays the same. The numbers move, the principle doesn't.

Where GDPR Art. 28 DPA appears in contracts

The DPA is signed alongside the master agreement or per-event contract. Key sections: scope of processing, retention, sub-processor approval, breach notification, audit rights, international transfer mechanisms (SCCs if data leaves the EU/EEA).

When reviewing a hotel proposal or contract draft, scan for gdpr art. 28 dpa early — it's often easier to negotiate before the supplier has anchored on their preferred position. Easy RFP surfaces these terms in every comparison view so planners can spot deviations from market-standard ranges at a glance, rather than reading 14-page proposals line by line.

Related terms

Deeper reading