Lumio
← Blog · June 02, 2026

Concluding a DPA with one click — what Art. 28 GDPR requires of you

Anyone using gallery software lets a provider process client data — and needs a data processing agreement for it. Why it's mandatory and how it's done electronically in minutes.

GDPR Legal

Many photographers hear about a “DPA” for the first time when a client — often a business client — asks for it. Then the frantic search begins. Yet the matter is clearly regulated and, with the right platform, quickly handled. This article isn’t legal advice, but a practical orientation.

Conclude a data processing agreement electronically with your master data

Why you need a DPA at all

As soon as a provider processes personal data on your behalf, Art. 28 GDPR requires a data processing agreement (DPA). With a gallery platform that’s exactly the case: it stores and processes photos of identifiable people and gallery access — on your behalf. The DPA governs what the provider may do with this data, which protective measures apply, and which sub-processors are used.

In this constellation you are the “controller”, the platform the “processor”. Without a DPA you’re formally not processing in a compliant way — regardless of how secure the technology is.

Why “electronically” is entirely sufficient

A common misconception: that a signed paper is needed. Art. 28(9) GDPR expressly permits the electronic format. A DPA concluded with a click and cleanly documented is fully valid legally. That saves the postal route and ensures you can show the agreement immediately when a client asks.

How it should work

A good provider supplies the DPA ready-made. You only fill in your master data — name or company name and address as the “controller” — and conclude it with a click. The technical and organizational measures as well as the list of sub-processors should be included as annexes. Afterward you should be able to save or print the agreement as a PDF to file it.

Conclusion

The DPA isn’t red tape, it’s a clear legal obligation — and with electronic conclusion it’s done in minutes. What matters is that your provider supplies it ready-made, including the necessary annexes, and that you can always get a concludable, savable version.

Lumio is built exactly for that: the DPA under Art. 28 GDPR is ready-made — you enter your master data, conclude it electronically and can save it as a PDF. Technical measures and sub-processors are included as annexes.

Try it free for 14 days.

Full functionality, no upfront payment. If you don't want to continue, just let it lapse — we won't pester you with reminder emails.

Start trial Prefer to self-host? → lumio-app.de