GDPR

8 min read

GDPR Data Processing Agreement (DPA) Guide: Article 28 Requirements & Required Clauses

Article 28 of GDPR requires that any processing by a data processor on behalf of a controller is governed by a binding contract, commonly known as a Data Processing Agreement (DPA). This contract must set out the subject matter, duration, nature, and purpose of the processing, the type of personal data, categories of data subjects, and the obligations and rights of the controller. Failure to have a compliant DPA in place is a direct GDPR violation that can trigger fines under the lower tier of up to EUR 10 million or 2% of global turnover. This guide covers every aspect of DPA compliance.

Controller vs Processor: Understanding the Relationship

Before drafting a DPA, organizations must correctly identify whether they are acting as a controller or processor in each data processing relationship. Under Article 4(7), the controller determines the purposes and means of processing personal data. The processor, defined in Article 4(8), processes personal data on behalf of the controller and only in accordance with the controller's instructions. This distinction is critical because it determines which party bears primary responsibility for compliance and which provisions must be included in the DPA. In practice, many organizations act as both controllers and processors depending on the context. A payroll provider is typically a processor when processing employee salary data on behalf of its client companies, but a controller when processing its own employees' data. A cloud platform provider may be a processor for customer data but a controller for usage analytics it collects for its own purposes. Joint controllership arises under Article 26 when two or more controllers jointly determine the purposes and means of processing, requiring a different type of arrangement. Misidentifying the controller-processor relationship is a common mistake that can render a DPA non-compliant. The European Data Protection Board has published guidance on the distinction, emphasizing that the actual role must be determined by the factual circumstances of the processing, not by what the parties choose to call themselves in a contract.

Controllers determine purposes and means of processing; processors act on controller instructions
Many organizations act as both controller and processor depending on the processing activity
Joint controllership under Article 26 requires a different arrangement than a standard DPA
EDPB guidance emphasizes factual circumstances over contractual labels
Misidentifying the relationship is a common mistake that can invalidate the DPA

Mandatory DPA Clauses Under Article 28(3)

Article 28(3) specifies eight mandatory elements that must be included in every DPA. First, the processor shall process personal data only on documented instructions from the controller, including with regard to transfers to third countries. Second, the processor must ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Third, the processor must take all measures required under Article 32, meaning it must implement appropriate technical and organizational security measures. Fourth, the processor must respect the conditions for engaging sub-processors, including obtaining prior specific or general written authorization from the controller. Fifth, the processor must assist the controller by appropriate technical and organizational measures for the fulfillment of data subject rights requests. Sixth, the processor must assist the controller in ensuring compliance with Articles 32 through 36, covering security, breach notification, and data protection impact assessments. Seventh, at the choice of the controller, the processor must delete or return all personal data after the end of service provision and delete existing copies unless EU or member state law requires storage. Eighth, the processor must make available to the controller all information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits and inspections conducted by the controller or an auditor mandated by the controller.

Processing must be limited to documented instructions from the controller
Staff authorized to process data must be bound by confidentiality obligations
Appropriate technical and organizational security measures under Article 32 are required
Sub-processor engagement requires prior written authorization from the controller
Data must be deleted or returned at the end of the service relationship

Sub-Processor Management Requirements

Article 28(2) and 28(4) establish specific requirements for how processors engage sub-processors. The processor must not engage another processor (sub-processor) without prior specific or general written authorization from the controller. If general written authorization is given, the processor must inform the controller of any intended changes concerning the addition or replacement of sub-processors, giving the controller the opportunity to object. When a sub-processor is engaged, the same data protection obligations as set out in the DPA between controller and processor must be imposed on the sub-processor by way of a contract. In particular, the sub-processor must provide sufficient guarantees to implement appropriate technical and organizational measures so that the processing meets GDPR requirements. Where the sub-processor fails to fulfill its data protection obligations, the initial processor remains fully liable to the controller for the performance of the sub-processor's obligations. In practice, this means organizations must maintain a current list of all sub-processors, notify controllers before adding or changing sub-processors, ensure each sub-processor is bound by equivalent contractual obligations, and monitor sub-processor compliance on an ongoing basis. Major cloud and SaaS providers typically maintain public sub-processor lists and offer notification mechanisms for changes, which has become an industry standard approach for managing the general authorization workflow.

Processors need prior specific or general written authorization before engaging sub-processors
Controllers must have the opportunity to object to new or replacement sub-processors
Sub-processors must be bound by equivalent data protection obligations via contract
The initial processor remains fully liable for sub-processor failures
Maintaining a current sub-processor list with change notification is standard practice

International Data Transfer Provisions

DPAs must address international data transfers, particularly since the Schrems II decision invalidated the EU-US Privacy Shield. If a processor or sub-processor transfers personal data outside the European Economic Area, the DPA must specify the transfer mechanism being used. Standard Contractual Clauses (SCCs), adopted by the European Commission in June 2021, are the most commonly used mechanism. The current SCCs are modular, with four modules covering controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller transfers. When SCCs are used, they can be incorporated directly into the DPA as an annex. The DPA should specify which module applies and complete all required annexes including descriptions of the processing, technical and organizational measures, and the list of sub-processors. Beyond SCCs, organizations may rely on Binding Corporate Rules for intra-group transfers, adequacy decisions for transfers to approved countries, or derogations under Article 49 in limited circumstances. Following Schrems II, organizations must also conduct Transfer Impact Assessments (TIAs) to evaluate whether the legal framework of the destination country provides essentially equivalent protection to EU law, and implement supplementary measures if it does not. The DPA should address the processor's obligation to cooperate with TIAs and implement supplementary measures as directed by the controller.

DPAs must specify the transfer mechanism for any processing outside the EEA
Standard Contractual Clauses (2021 version) are the most common transfer mechanism
Transfer Impact Assessments are required post-Schrems II to evaluate destination country laws
The modular SCC structure covers four types of transfer relationships
Processors must cooperate with TIAs and implement supplementary measures as directed

Audit Rights and Compliance Verification

Article 28(3)(h) requires that the processor make available all information necessary to demonstrate compliance with Article 28 obligations and allow for and contribute to audits and inspections conducted by the controller or the controller's mandated auditor. This audit right is non-negotiable and must be included in every DPA. However, the practical implementation of audit rights varies significantly. Large processors handling data for thousands of controllers often cannot accommodate individual on-site audits from every customer. Industry practice has evolved to address this through several mechanisms. Many processors engage independent third-party auditors to conduct SOC 2 Type II, ISO 27001, or other recognized audits, and make the results available to controllers. The DPA may specify that the controller's audit right is first satisfied by reviewing these third-party audit reports, with the right to conduct additional audits if the reports are insufficient or if specific concerns arise. Some DPAs include provisions requiring reasonable advance notice for audits, limiting audit frequency, allowing the processor to charge reasonable costs for audits beyond the initial report review, and restricting audits to business hours with minimal disruption. While these practical limitations are common and generally acceptable, the controller must retain a meaningful audit right. A DPA that effectively eliminates the ability to audit the processor would not comply with Article 28(3)(h). Controllers should negotiate clear audit procedures and ensure they retain the right to conduct or commission audits when third-party reports raise concerns.

Article 28(3)(h) mandates audit rights that cannot be contractually eliminated
Third-party audits (SOC 2, ISO 27001) are commonly accepted as a first layer of verification
DPAs may include practical limitations like advance notice and frequency limits
Controllers must retain meaningful audit capability beyond just reviewing reports
The processor must cooperate with audits and make compliance information available

DPA Best Practices and Common Pitfalls

Beyond meeting the minimum requirements of Article 28, several best practices improve DPA effectiveness. Define the processing scope with precision, specifying exactly what personal data categories are processed, which data subject categories are involved, and the specific processing operations performed. Vague descriptions create ambiguity that can lead to disputes and compliance gaps. Include specific breach notification timeframes rather than relying on the GDPR's general "without undue delay" language. Many organizations specify 24 to 48 hours for the processor to notify the controller after becoming aware of a breach, giving the controller time to meet the 72-hour supervisory authority notification deadline. Address data retention explicitly, specifying how long the processor may retain data during and after the service relationship, and the destruction methods that must be used. Common pitfalls include using outdated DPA templates that do not reflect the 2021 SCCs or post-Schrems II requirements, failing to keep the sub-processor list current, not documenting controller instructions in a way that satisfies the "documented instructions" requirement, and treating the DPA as separate from the broader vendor management program. The DPA should be integrated into regular vendor reviews, with periodic assessment of the processor's security measures, sub-processor management, and compliance posture.

Define processing scope precisely including data categories, subject categories, and operations
Specify breach notification timeframes (24-48 hours) rather than relying on vague language
Address data retention explicitly including duration and destruction methods
Keep sub-processor lists current and review DPAs as part of regular vendor management
Ensure DPA templates reflect the 2021 SCCs and post-Schrems II requirements

Key Takeaways

Article 28 mandates binding contracts (DPAs) between controllers and processors with eight required elements
Correctly identifying controller vs processor roles is essential before drafting a DPA
Sub-processor engagement requires prior authorization and equivalent contractual obligations
International data transfers must be addressed with appropriate mechanisms and Transfer Impact Assessments
Audit rights under Article 28(3)(h) are non-negotiable and must provide meaningful verification capability
DPAs should specify precise processing scope, breach notification timeframes, and data retention terms
Regular DPA review as part of vendor management ensures ongoing compliance

Related Resources

gdpr data processing gdpr privacy notice gdpr dpia template gdpr breach notification gdpr consent records data processing agreement gdpr data subject access request vendor management encryption in transit

Other Compliance Guides

GDPR

HIPAA Business Associate Agreement (BAA) Guide

Frequently Asked Questions

What is a Data Processing Agreement under GDPR?

A DPA is a legally binding contract required by GDPR Article 28 between a data controller and a data processor. It governs how the processor handles personal data on behalf of the controller, including the subject matter, duration, nature, and purpose of processing, and incorporates eight mandatory provisions specified in Article 28(3).

When is a DPA required under GDPR?

A DPA is required whenever a controller engages a processor to process personal data on its behalf. This includes any third-party vendor, cloud provider, or service provider that accesses, stores, or processes personal data under the controller's instructions. The DPA must be in place before processing begins.

What is the difference between a DPA and a BAA?

A DPA is required by GDPR for EU personal data processing, while a BAA is required by HIPAA for US healthcare data. Both govern third-party data handling but have different legal frameworks, required provisions, and penalties. Organizations handling both types of data may need both agreements with a single vendor.

Can I use the EU Standard Contractual Clauses as my DPA?

The 2021 Standard Contractual Clauses can be used as part of a DPA, particularly for international transfers. Module Two (controller-to-processor) and Module Three (processor-to-processor) include Article 28 provisions. However, many organizations supplement SCCs with additional provisions specific to their processing relationship.

What are the penalties for not having a DPA?

Failing to have a compliant DPA constitutes a violation of Article 28, subject to the lower fine tier of up to EUR 10 million or 2% of global annual turnover. Additionally, without a DPA, the controller lacks contractual mechanisms to enforce GDPR obligations on the processor, creating significant compliance and liability exposure.

How do I manage sub-processors under a DPA?

The processor must obtain prior specific or general written authorization before engaging sub-processors. With general authorization, the processor must notify the controller of changes and allow time to object. Sub-processors must be bound by equivalent data protection obligations, and the processor remains fully liable for sub-processor compliance.

GDPR Overview Requirements Guides Compliance Glossary Compare Frameworks

Generate GDPR policies automatically

PoliWriter creates all the policies you need for GDPR compliance, customized to your organization. AI-powered, audit-ready, hours not months.

Get Started Free