You bought a consent management platform to help your website comply with the GDPR. But the CMP itself processes personal data on your behalf — consent records, IP addresses, device fingerprints, browsing context — and that makes it a data processor under the regulation. Which means you need a Data Processing Agreement with it, just like you need one with your analytics provider, your hosting company, or your email platform.

This isn't a theoretical edge case. It's a direct requirement of GDPR Article 28, and it's one that procurement teams and DPOs sometimes overlook precisely because the CMP is a "compliance tool." The assumption is that a vendor in the compliance space must already have its own house in order. That's often true — but you still need to verify it, document it, and hold the agreement on file.

If you're new to DPAs in general, start with our overview of Data Processing Agreements for website owners. This guide goes deeper on one specific relationship: the DPA between you and your CMP provider.

Why Your CMP Needs Its Own DPA

The logic is simple once you spell it out. You (the website owner) are the data controller: you decide to collect consent from visitors, you configure the banner categories and text, you choose which cookies to block or allow. Your CMP is the data processor: it executes those instructions by displaying the banner, recording the visitor's choices, and storing the consent proof.

That controller-processor relationship triggers Article 28. No exceptions for "compliance vendors" or "privacy tools." The regulation doesn't care what the processor's product does — it cares that personal data is being processed on someone else's behalf, and it requires a binding agreement to govern that relationship.

What makes the CMP case worth separate attention is the nature of the data involved. Your CMP doesn't just handle peripheral data. It handles the evidence that your entire consent architecture works. If that data is compromised, mishandled, or unavailable when a regulator asks for it, you don't just have a data breach — you've lost your ability to prove compliance with every other part of the GDPR that depends on valid consent.

What Data Does a CMP Actually Process?

Most CMPs process the following on your behalf:

Consent records — the per-visitor log of what was accepted, rejected, or customized, tied to a timestamp and consent ID. This is your proof of lawful consent under Article 7(1).
IP addresses — used for geolocation (to apply regional rules) and often stored alongside the consent record. An IP address is personal data under the GDPR.
Device and browser information — user agent strings, screen resolution, language. Sometimes stored in consent logs for audit purposes.
Page URLs and referrers — the page where consent was given or refused, relevant for proving context-specific consent.
Cookie identifiers — the CMP's own first-party cookie to remember the visitor's choice. Combined with the consent record, this can constitute personal data.
Consent signal metadata — TCF consent strings, Google Consent Mode states, GPC signals encoding preferences in machine-readable form.

In aggregate, this is a detailed profile tied to an identifiable individual. It deserves the same contractual protection you'd demand for customer records — arguably more, because it's the foundation your compliance posture rests on.

GDPR Article 28: What the DPA Must Cover

Article 28 prescribes specific clauses for every processor agreement. Here's how each applies to the CMP relationship:

Processing only on documented instructions — The CMP must process consent data according to your configuration, not repurpose it for its own analytics or cross-customer benchmarking.
Confidentiality obligations — Personnel with access to consent records must be bound by confidentiality agreements.
Security measures — Encryption in transit and at rest, access controls, incident response. Consent records are compliance evidence, so the bar should be high.
Sub-processor authorization — Prior authorization (general or specific) before engaging sub-processors, with the same obligations flowing down.
Assistance with data subject rights — If a visitor submits a data subject access request covering their consent history, the CMP must help you respond.
Breach notification and DPIAs — The CMP must notify you of breaches affecting your data and assist with impact assessments.
Deletion or return of data — When you stop using the CMP, it must delete or return all consent data.
Audit rights — You or a designated auditor must be able to verify the CMP's compliance.

A DPA covering all of these gives you a contractual enforcement mechanism — and evidence for regulators that you've fulfilled your controller obligations.

Key DPA Clauses to Verify Before Signing

Beyond the Article 28 minimums, these areas are where compliant-looking agreements often fall short.

Sub-Processor Transparency

Check whether the DPA includes a named list of sub-processors, or at minimum a mechanism to obtain one. Your CMP's hosting provider, CDN, logging infrastructure, and any third-party services it integrates all qualify as sub-processors. You should know who they are, where they operate, and what data they access. The DPA should also specify how you'll be notified when sub-processors change — ideally with advance notice and the right to object.

Data Location

If your visitors are in the EU, storing consent data exclusively outside the EEA adds transfer obligations. Check whether the DPA specifies data residency and whether it aligns with your international transfer arrangements. EU-hosted infrastructure simplifies this.

Data Retention and Deletion

The DPA should specify how long the CMP retains consent records and commit to deletion within a defined timeframe after termination. Consent proof should be kept long enough for compliance but not indefinitely — and the CMP shouldn't retain it longer than you've instructed.

Audit Rights

The DPA should grant you the right to audit, directly or through an independent auditor. Most SaaS CMPs satisfy this through SOC 2 reports or ISO 27001 certificates, which is generally acceptable — but the right must exist in the contract.

Breach Notification Timelines

The GDPR requires controllers to notify authorities within 72 hours of a breach. Your CMP's DPA should commit to notifying you well within that window — look for a specific hour limit (24-48h). "Promptly" with no timeframe is a gap that could cost you the 72-hour window.

Red Flags in a CMP's DPA

Walk away — or at minimum, negotiate — if you see any of the following:

Unlimited sub-processor discretion — the CMP can add sub-processors at will with no notice or objection right. You've lost control over who touches your visitors' data.
US-only data storage with no transfer mechanism — consent records for EU visitors stored exclusively in the US, with no Standard Contractual Clauses, no Data Privacy Framework certification, and no option for EU hosting.
No audit clause at all — the CMP offers no mechanism to verify its compliance. This is a straight Article 28 violation, and it should make you wonder what else they're not taking seriously.
Broad data reuse rights — language allowing the CMP to use "aggregated" or "anonymized" consent data for its own purposes without clearly defining what aggregation means or giving you the right to opt out.
No breach notification timeline — vague or absent commitments on when the CMP will tell you about a security incident.
Indefinite data retention after termination — the CMP keeps your consent data after you leave, with no deletion commitment and no timeline.

How to Evaluate a CMP's DPA: A Procurement Checklist

If you're a DPO or procurement lead evaluating CMPs, the DPA review should be a structured part of your vendor assessment — not an afterthought. Here's a practical approach:

CMP DPA Evaluation Checklist

Is the DPA publicly available before purchase?
Reputable CMPs publish their DPA in their trust center or legal page. If you can't see it until after signing, that's a yellow flag.
Does it cover all Article 28 required clauses?
Instructions-only processing, confidentiality, security measures, sub-processor rules, DSAR assistance, breach notification, deletion at termination, and audit rights.
Are sub-processors named and their locations disclosed?
You need to know who handles your consent data and where. A named list with advance change notification is the standard.
Is EU data residency available or guaranteed?
For EU visitors' consent records, EU-hosted storage avoids layering transfer mechanisms on top of the processor agreement.
Are retention periods defined and reasonable?
Consent records need to be kept long enough to prove compliance but not indefinitely. Look for clear retention commitments and post-termination deletion timelines.
Does the breach notification clause include a timeframe?
"Without undue delay" is the minimum. A specific hour limit (24–48 hours) gives you time to meet the controller's 72-hour obligation.
Is there a meaningful audit right?
SOC 2 reports or ISO 27001 certificates shared on request are acceptable. No audit mechanism at all is not.
Does the CMP claim any data reuse rights?
Consent data should be processed solely on your instructions. Any clause allowing the CMP to use your visitors' data for its own analytics or benchmarking needs scrutiny.
Can you export or retrieve all consent records?
Data portability matters for migration. The DPA or service terms should guarantee data return in a standard format.
Does the CMP separate its role as controller vs processor?
The CMP is a controller for its own customer accounts but a processor for your visitors' consent data. The DPA should clearly distinguish these roles.

The Irony of Non-Compliant Compliance Tools

There's a particular absurdity in a CMP that doesn't have a compliant DPA. You're buying the tool to demonstrate that you take data protection seriously. If the vendor can't get its own processor agreement right, it raises a question about everything else it provides — the consent collection, the record-keeping, the signal implementation.

A CMP vendor that's vague about sub-processors, silent on data residency, or unwilling to commit to audit rights is either cutting corners or hasn't thought carefully about its own obligations. Neither is a good sign for a product that's supposed to be your compliance backbone. Use DPA quality as a procurement signal: if the vendor can answer questions about data flows, sub-processors, and retention policies clearly and without hedging, that tells you something about how they run the rest of their operation.

CookieBeam's Approach to Data Processing

CookieBeam acts as a data processor when handling your visitors' consent data. The relationship is straightforward: you configure the banner, define the cookie categories, and set the rules; CookieBeam executes those instructions by collecting and storing consent records on your behalf.

Here's how CookieBeam addresses the key DPA concerns covered in this guide:

DPA availability — CookieBeam provides a Data Processing Agreement to customers on request. Contact [email protected] for a copy.
Data processed — consent records (visitor choices, timestamps, consent IDs), IP addresses (used for geolocation and regional rule matching), device and browser metadata, and page context.
Sub-processors — CookieBeam's infrastructure sub-processors include AWS and Cloudflare for hosting and content delivery, and Stripe for payment processing. Sub-processors are disclosed and changes are communicated.
Data retention — consent records are retained for 3 years from the last recorded consent event. Account data is retained while your account is active plus 3 years. Usage logs are retained for 1 year.
International transfers — where data is transferred outside the EU/UK, Standard Contractual Clauses are used as the transfer mechanism.
Security — appropriate technical and organizational measures to protect consent data, including encryption in transit.
Data subject rights — CookieBeam assists controllers in responding to data subject access, rectification, and erasure requests related to consent records.

For questions about CookieBeam's data processing practices or to request the full DPA, contact [email protected].

Your CMP Is One DPA Among Many

The CMP is a critical processor, but it's not the only one. Your analytics provider, hosting company, email platform, and every other tool that touches visitor data all need DPAs too. Use this CMP evaluation as a template for reviewing your entire vendor stack. For a broader walkthrough, see our complete guide to DPAs for website owners.

Next Steps

If you haven't reviewed the DPA with your current CMP, do it before your next audit — not during it. Pull up the agreement, walk through the checklist above, and flag gaps. If the vendor can't address them, weigh that in your next procurement cycle.

Related guides:

Data Processing Agreements: What Website Owners Need to Know — the full DPA picture across your tool stack.
EU-US Data Transfers & the Data Privacy Framework — transfer mechanisms and processor agreements.
DSAR Handling for Website Owners — data subject requests that touch consent records.
What Is a CMP? — consent management platforms explained.