GDPR Data Processing Agreement (DPA): Required Clauses, Templates, and What to Watch For

Last updated: 2026-05-04 — ComplianceStack Editorial Team

Every vendor, tool, or service provider that processes personal data on your behalf under GDPR requires a written Data Processing Agreement (DPA). No DPA means the processing is unlawful under Article 28(3). Regulators have issued fines specifically for missing or inadequate DPAs — and as more companies conduct GDPR compliance reviews, DPA gaps are among the first deficiencies identified. This guide covers what a DPA must contain under Article 28, how Standard Contractual Clauses interact with DPAs for international transfers, sub-processor chains, and what to look for when reviewing a vendor-provided DPA template.

What Is a GDPR Data Processing Agreement and When Is It Required

A Data Processing Agreement is a binding contract between a controller (the entity that determines the purposes and means of processing) and a processor (the entity that processes personal data on the controller's behalf). Article 28(3) of GDPR mandates that this agreement be in writing and contain specific provisions.

When a DPA is required: Any time a third party processes personal data on your instructions. This includes: cloud hosting providers (AWS, Azure, Google Cloud), SaaS tools that process customer or employee data (Salesforce, HubSpot, Workday), analytics platforms (Google Analytics 4, Mixpanel), email service providers (Mailchimp, SendGrid), and any service provider whose staff can access your users' personal data.

Controller-to-controller vs. controller-to-processor: Not every vendor relationship is a processing relationship. If a vendor determines the purposes of processing independently — for example, an advertising platform that uses your data for its own ad targeting — that vendor is a joint controller, not a processor. Joint controller relationships require a different type of arrangement under Article 26. Most SaaS tools that process data solely on your instructions are processors.

Who bears the obligation: The controller has the primary obligation to ensure the DPA is in place before processing begins. Processors also have obligations — they cannot engage sub-processors without controller authorization and must comply with the DPA terms. Both parties can be fined for processing without a required DPA.

For the full GDPR controller/processor framework, see the GDPR Compliance for US Companies 2026 and the GDPR Framework Overview.

Required DPA Clauses Under GDPR Article 28(3)

Article 28(3) lists the minimum content a DPA must include. A DPA without any of these provisions is legally deficient:

Processing only on documented instructions: The processor must process personal data only on the controller's documented instructions, including for transfers to third countries (Article 28(3)(a)). If instructions are informal or verbal, document them in the DPA or through a separate instructions document referenced in the DPA.

Confidentiality obligations: Persons authorized to process personal data must be bound by confidentiality obligations — either contractual or statutory (Article 28(3)(b)).

Security measures: The processor must implement appropriate technical and organizational measures under Article 32 — at minimum, pseudonymization and encryption, ongoing confidentiality and integrity assurances, ability to restore data after incidents, and regular testing and evaluation (Article 28(3)(c)).

Sub-processor restrictions: The processor must not engage another processor (sub-processor) without prior specific or general written authorization from the controller. If general authorization is given, the processor must inform the controller of sub-processor changes and give the controller opportunity to object (Article 28(3)(d)).

Assist with data subject rights: The processor must assist the controller in responding to data subject requests — access, erasure, portability — taking into account the nature of the processing (Article 28(3)(e)).

Assist with security, breach notification, DPIAs: The processor must assist the controller with Article 32 security obligations, Article 33/34 breach notifications, and Article 35 Data Protection Impact Assessments (Article 28(3)(f)).

Deletion or return of data: At the controller's choice, the processor must delete or return all personal data after the end of services and delete existing copies (unless EU or member state law requires storage) (Article 28(3)(g)).

Audit rights: The processor must make available all information necessary to demonstrate compliance and allow for audits and inspections by the controller or a mandated auditor (Article 28(3)(h)).

Standard Contractual Clauses and International Data Transfers

DPAs address who can process data and on what terms. Standard Contractual Clauses (SCCs) address the additional requirement of GDPR Chapter V — that transfers of personal data to countries outside the EEA must be subject to appropriate safeguards.

The European Commission adopted new SCCs in June 2021 (Commission Implementing Decision (EU) 2021/914), replacing the older 2010 and 2001 SCCs. The new SCCs include four modular sets:

— Module 1: Controller to Controller (C2C)
— Module 2: Controller to Processor (C2P) — the most common for SaaS vendor relationships
— Module 3: Processor to Processor (P2P) — for sub-processor chains
— Module 4: Processor to Controller (P2C)

Transfer Impact Assessments (TIAs): Following the Schrems II decision (Case C-311/18, 2020) invalidating the EU-US Privacy Shield, transfers to the US require a TIA to assess whether the SCC protections can be effectively applied given US surveillance law. In practice, most US processors (AWS, Google, Microsoft) rely on the EU-US Data Privacy Framework (adopted July 2023, EC Decision 2023/1795) for transfers instead of SCCs — but UK, Swiss, and other non-EU member state transfers still require separate mechanisms.

For US companies, the practical approach: obtain SCCs with vendors for EU-US transfers, review vendor TIAs, and verify that vendors have enrolled in the EU-US Data Privacy Framework if relying on it. See the GDPR for US Companies guide for the full transfer mechanism decision tree.

Sub-Processor Requirements and Chain Management

Sub-processors are processors engaged by your processor to perform processing on your data. Every link in the sub-processor chain must be covered by a DPA that mirrors the requirements of your controller-processor DPA.

Authorization requirement: Under Article 28(2), processors need your authorization before engaging sub-processors. Most vendor DPAs use a "general authorization" model — the vendor publishes a list of sub-processors and notifies you of changes with a 30-day objection window. This is GDPR-compliant if the notification mechanism is functional and the controller actually monitors it.

Sub-processor list obligations: Reputable vendors (Google, AWS, Salesforce) maintain publicly accessible sub-processor lists with contact information, processing location, and data categories. Verify that your vendor's sub-processor list is current and that processing locations align with your transfer mechanism.

Flow-down requirements: The sub-processor must be bound by the same data protection obligations as the processor under Article 28(4). If your DPA requires 72-hour breach notification, the sub-processor DPA must also require 72-hour notification to the processor. Data protection obligations cannot be weakened down the chain.

Liability flow-back: The processor remains fully liable to you for failures of its sub-processors to comply with their data protection obligations. Sub-processor use does not reduce the processor's liability — it shares liability proportionally for the sub-processor's portion of the fault.

For vendor management including DPA tracking, see the ComplianceStack Vendor Directory.

What Makes a Vendor-Provided DPA Inadequate

Most large SaaS vendors provide standard DPAs. Many of them are inadequate or need modification. Common deficiencies to look for when reviewing vendor-provided DPAs:

Missing audit rights: Some vendor DPAs replace the Article 28(3)(h) audit right with a right to receive a third-party audit certificate (SOC 2, ISO 27001). This is generally acceptable, but the DPA must still allow you to conduct an audit if you have specific concerns — the SOC 2 certificate cannot be the only mechanism.

Vague security measures: A DPA that says the processor will implement "appropriate security measures" without specifying them in an Annex does not satisfy Article 32 requirements. Look for specific security commitments: encryption standards, access controls, penetration testing frequency, incident response SLAs.

Broad sub-processor authorization: Some DPAs give processors unlimited discretion to add sub-processors without notice. This violates Article 28(3)(d). A valid DPA must include prior specific or general authorization — general authorization requires a notification mechanism with objection rights.

Unilateral modification rights: Some vendor DPAs reserve the right to modify terms by posting updates to a webpage. Under GDPR, the DPA is a binding contract — material changes to data protection obligations require your agreement.

Deletion on request not guaranteed: Ensure the DPA commits to deletion within a defined timeframe on termination or request — not just "within a reasonable period." EDPB guidance recommends specifying a maximum period (30-90 days is standard). Assess your complete GDPR vendor landscape with the Compliance Gap Analyzer.

DPA Enforcement Actions and Regulatory Expectations

Data protection authorities have fined both controllers and processors for DPA deficiencies:

Tilburg University (Dutch AP, 2023): Investigation found that the university's DPA with Microsoft for Teams lacked required Article 28 provisions — specifically, the processor's use of student data for Microsoft's own purposes was not adequately restricted. Settlement required DPA renegotiation and additional technical measures.

European Commission (EDPS, 2022): The European Data Protection Supervisor found that the European Commission's use of Salesforce Marketing Cloud violated GDPR because the contract lacked appropriate transfer safeguards — SCCs were not in place for US transfers. €60,000 fine against the Commission itself.

German Supervisory Authorities: Multiple German state DPAs (DSKs) have found violations where controllers used US-based processors without DPAs or without SCCs covering data transfers. German enforcement has been particularly active in the healthcare, education, and public sector.

GDPR Article 83(4) penalties for Article 28 violations: Failure to have a required DPA is subject to fines up to €10,000,000 or 2% of total worldwide annual turnover, whichever is higher. These are the lower-tier penalties — not the maximum €20 million / 4% tier — but they are still significant for small and mid-size companies. For penalty amounts in context, see the Real Cost of Non-Compliance 2026.

Frequently Asked Questions: GDPR Data Processing Agreements

Do we need a DPA with every SaaS tool we use?
Yes, for any SaaS tool that processes personal data of EU residents on your behalf. This includes tools used to process employee data (HR software, payroll), customer data (CRM, support ticketing), website visitor data (analytics, live chat), and marketing data (email marketing platforms). Many large SaaS vendors have DPAs available online that you can accept by clicking through their platform settings — check the vendor's privacy or legal documentation first before creating a custom DPA. If the vendor has no DPA available and processes personal data, you cannot use them lawfully under GDPR without one. See the ComplianceStack Vendor Directory for DPA availability by vendor.

What is the difference between a DPA and Standard Contractual Clauses?
A DPA addresses the controller-processor relationship under Article 28 — who processes what data, on whose instructions, with what security measures. Standard Contractual Clauses (SCCs) address the Chapter V international transfer requirement — the additional legal mechanism required when personal data is transferred outside the EEA. A DPA for a US-based processor typically needs to include or reference SCCs (Module 2: C2P) to cover both the processing relationship and the international transfer. The EU-US Data Privacy Framework (2023) provides an alternative transfer mechanism for DPF-certified processors — check your vendor's DPF enrollment status at dataprivacyframework.gov. See the full framework in the GDPR for US Companies guide.

Can we use a template DPA from our vendor or do we need a lawyer to draft one?
Vendor-provided DPAs are legally valid under Article 28 if they contain all required provisions. Review the DPA against the Article 28(3) checklist — if all required clauses are present, a vendor template is sufficient. Custom DPAs are appropriate when the vendor's standard template is missing required provisions, when the processing involves high-risk data (health, financial, children's data), or when you have specific security requirements the standard template does not cover. For most standard SaaS relationships, vendor DPAs reviewed against the Article 28(3) checklist above are sufficient. Use the Compliance Gap Analyzer to get a full view of your GDPR vendor management posture.

More GDPR Resources

• GDPR Framework Guide
• GDPR Tier 1 Fines
• GDPR Tier 2 Fines
• GDPR for SaaS Companies
• Compliance Gap Analyzer (Free)
• Free 5-Minute Compliance Quiz
• Regulatory Deadline Tracker
• Remediation Action Plan ($49)
• Find a GDPR Compliance Consultant