Data Processing Agreement Template
Article 28(3) of the GDPR requires that processing by a processor shall be governed by a contract or other legal act that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller.
The following annotated template covers each mandatory clause. Adapt the content to your specific processing relationship. Processing without a compliant DPA in place exposes both controller and processor to fines of up to EUR 10,000,000 or 2% of worldwide annual turnover (Art. 83(4)(a)).
1. Subject Matter and Duration
Art. 28(3)Define the scope of the processing relationship.
Required Content
The subject matter of the processing, the duration of the processing, the nature and purpose of the processing, the type of personal data, and the categories of data subjects.
Annotation
Be specific. Vague descriptions like 'data processing services' are insufficient. Identify the exact service (e.g., 'hosting and processing of customer order data'), the personal data fields involved (e.g., name, email, shipping address), and the categories of data subjects (e.g., customers, employees). Duration should align with the services agreement.
2. Obligations of the Processor
Art. 28(3)(a)Ensure the processor only acts on documented controller instructions.
Required Content
The processor shall process the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by EU or Member State law. In such a case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
Annotation
This is the foundation of the controller-processor relationship. Without this clause, the processor may be treated as a joint controller. Include a mechanism for issuing and documenting instructions (e.g., written requests, a designated contact). Address what happens if the processor believes an instruction infringes the GDPR (Art. 28(3) second subparagraph).
3. Confidentiality
Art. 28(3)(b)Ensure persons authorised to process the data have committed to confidentiality.
Required Content
The processor shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Annotation
This extends beyond NDAs to cover all personnel with access to the personal data, including temporary staff and contractors. Maintain records of confidentiality commitments. Where statutory obligations exist (e.g., for regulated professions), document which obligation applies.
4. Security Measures
Art. 28(3)(c), 32Require the processor to implement appropriate technical and organisational measures.
Required Content
The processor shall take all measures required pursuant to Article 32 (security of processing), including as appropriate: pseudonymisation and encryption, the ability to ensure ongoing confidentiality/integrity/availability/resilience of processing systems, the ability to restore availability and access to personal data in a timely manner, and a process for regularly testing, assessing and evaluating the effectiveness of measures.
Annotation
Specify the minimum security measures required (e.g., encryption standards, access control mechanisms, audit logging). Consider including a security schedule or annex that can be updated without amending the entire DPA. The measures must be appropriate to the risk, considering the state of the art, costs, nature of processing, and risks to data subjects.
5. Sub-processors
Art. 28(2), 28(3)(d), 28(4)Control the engagement of sub-processors.
Required Content
The processor shall not engage another processor (sub-processor) without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the controller the opportunity to object. The processor shall impose the same data protection obligations as set out in this DPA on the sub-processor by way of a contract.
Annotation
Choose between specific authorisation (controller approves each sub-processor individually) or general authorisation (controller is informed of changes with right to object). General authorisation is more practical but requires a clear notification and objection mechanism. Include a list of current sub-processors as an annex. The processor remains fully liable to the controller for the performance of sub-processor obligations (Art. 28(4)).
6. Data Subject Rights Assistance
Art. 28(3)(e)Require the processor to assist the controller in responding to data subject requests.
Required Content
The processor shall assist the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III.
Annotation
Define specific procedures: how the processor will handle data subject requests received directly, the timeframe for forwarding requests to the controller, and what technical capabilities are needed (e.g., ability to extract, port, or delete a specific data subject's data). Consider costs -- the GDPR allows the processor's assistance to be subject to reasonable charges.
7. Breach Notification
Art. 28(3)(f), 33, 34Require the processor to notify the controller of personal data breaches.
Required Content
The processor shall notify the controller without undue delay after becoming aware of a personal data breach. The notification shall include at minimum: the nature of the breach, the categories and approximate number of data subjects and personal data records concerned, the likely consequences, and the measures taken or proposed to address the breach.
Annotation
The GDPR requires controllers to notify the supervisory authority within 72 hours of becoming aware of a breach (Art. 33(1)). Therefore, processor notification to the controller must occur well within that window. Specify a concrete timeframe (e.g., within 24 hours of discovery). Include a breach communication template as an annex.
8. DPIA and Prior Consultation Assistance
Art. 28(3)(f), 35, 36Require the processor to assist with DPIAs and supervisory authority consultations.
Required Content
The processor shall assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36, taking into account the nature of processing and the information available to the processor.
Annotation
This includes providing information needed for DPIAs (e.g., details of processing operations, security measures, sub-processor arrangements) and cooperating with supervisory authority consultations. Define what 'assist' means in practice and agree on response timelines.
9. Data Return and Deletion
Art. 28(3)(g)Define what happens to personal data when the processing relationship ends.
Required Content
At the choice of the controller, the processor shall delete or return all the personal data to the controller after the end of the provision of services relating to processing, and delete existing copies unless EU or Member State law requires storage of the personal data.
Annotation
Specify the format for data return (e.g., structured, commonly used, machine-readable format), the timeframe for return/deletion (e.g., within 30 days of contract termination), and the method of deletion (e.g., secure overwrite, cryptographic erasure). Require written certification of deletion. Address data in backups -- specify a reasonable timeline for backup purging.
10. Audit Rights
Art. 28(3)(h)Enable the controller to verify processor compliance.
Required Content
The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
Annotation
Define practical audit terms: notice period, frequency, scope, and who bears the costs. Many processors offer SOC 2 or ISO 27001 certifications as an alternative to on-site audits for routine verification, with the right to conduct specific audits when concerns arise. The processor must immediately inform the controller if, in its opinion, an instruction infringes the GDPR or other data protection provisions (Art. 28(3) final subparagraph).
11. International Transfers
Art. 28(3)(a), 44-49Address transfers of personal data to third countries.
Required Content
The processor shall not transfer personal data to a third country or international organisation without documented instruction from the controller, unless required by EU or Member State law. Where transfers are authorised, they must be subject to appropriate safeguards under Chapter V (adequacy decision, Standard Contractual Clauses, Binding Corporate Rules, or a derogation under Article 49).
Annotation
List the countries where data will be processed and stored. Identify the transfer mechanism for each (e.g., EU adequacy decision, SCCs). Following the Schrems II judgment (C-311/18), transfers using SCCs require a Transfer Impact Assessment to evaluate whether the recipient country provides essentially equivalent protection. Include this assessment as an annex.
Disclaimer
This template provides general guidance on Data Processing Agreement requirements under GDPR Article 28. It does not constitute legal advice and should not be used as a substitute for legal review. Every DPA should be reviewed by qualified legal counsel to ensure it addresses the specific circumstances of the processing relationship.