Data Processing Agreement (DPA) Template

Mandatory Article 28 Data Processing Agreement template for controller-processor relationships, covering all required provisions and sub-processing controls.

Quick Answer

Article 28 GDPR requires a written Data Processing Agreement with every processor, specifying processing instructions, security measures, sub-processor controls, breach notification timelines, and data return/deletion obligations.

Compliance Checklist (8 items)

Identify and document all processors and sub-processors in the supply chain
Confirm processor only processes data on documented instructions from controller
Require processor to impose equivalent obligations on any sub-processors
Include mandatory Article 28(3) clauses: confidentiality, security, sub-processor controls
Specify technical and organisational security measures (Annex to DPA)
Require processor to assist with data subject rights requests within agreed timelines
Require processor to notify controller of any data breach within 24-48 hours
Specify data deletion/return obligations at contract termination

Penalty if not compliant

Up to €20 million or 4% of global annual turnover; both controller and processor can be fined; processors face direct liability for GDPR breaches.

Frequently Asked Questions

Is a DPA required with cloud providers like AWS, Google Cloud, or Azure?

Yes. Any cloud provider processing personal data on your behalf is a processor, and a DPA is legally required. AWS, Google, and Microsoft offer standard DPA addenda that comply with GDPR — review and accept before processing any personal data.

What if a processor refuses to sign a DPA?

You cannot lawfully use a processor that refuses to sign a compliant DPA. You must either negotiate the terms or find an alternative processor. Using a processor without a DPA is a GDPR violation.

Can standard contractual clauses (SCCs) substitute for a DPA?

SCCs are for international data transfers, not for domestic controller-processor relationships. You need both: a DPA for the processing relationship and SCCs (or another transfer mechanism) if data is transferred outside the EEA.

Need this turned into a real document?

Our compliance sprint service delivers production-ready documents tailored to your organisation in 5–15 business days. A senior compliance specialist reviews every document before delivery.

Get Expert Help →Browse All Templates

DPAdata processing agreementArticle 28processorsub-processor