Data Processing Agreements Under GDPR: Complete Guide

A data processing agreement (DPA) is the legally mandated contract between a data controller and a data processor under the GDPR. Every time an organisation engages a vendor, cloud provider, payroll bureau, or any third party that handles personal data on its behalf, Article 28 requires a binding written agreement that sets out the terms of that processing relationship.

Despite this clear obligation, DPA deficiencies remain one of the most common findings in supervisory authority audits across Europe. The DLA Piper GDPR Fines Survey January 2026 reported cumulative fines exceeding EUR 7.1 billion since the regulation took effect, with a growing number of enforcement actions targeting inadequate or missing processor agreements. In 2024 alone, the Spanish AEPD issued over 40 sanctions where the absence or insufficiency of a data processing agreement gdpr was a contributing factor.

This guide covers every element you need to draft, review, and maintain compliant DPAs.

What Does Article 28 Require in a Data Processing Agreement?

Article 28(3) GDPR prescribes the minimum content that every data processing agreement gdpr must include. The contract must be in writing, which includes electronic form, and must set out:

• Subject matter and duration of the processing
• Nature and purpose of the processing
• Types of personal data processed
• Categories of data subjects whose data is processed
• Obligations and rights of the controller

These are not optional boilerplate elements. Each clause must be specific to the actual processing relationship. A generic template that fails to describe the concrete processing activities will not satisfy the regulation.

Beyond the descriptive clauses, Article 28(3)(a)-(h) imposes eight specific obligations on the processor:

1. Process only on documented instructions from the controller, unless required by EU or Member State law.
2. Ensure confidentiality – all authorised persons must be under a confidentiality commitment.
3. Implement appropriate security measures in accordance with Article 32.
4. Respect the conditions for engaging sub-processors, including prior written authorisation.
5. Assist the controller in responding to data subject rights requests.
6. Assist with breach notification, DPIAs, and prior consultation under Articles 32-36.
7. Delete or return all personal data after the end of services.
8. Make available all information necessary to demonstrate compliance and contribute to audits.

Omitting any one of these eight points renders the DPA non-compliant. The Finnish Data Protection Ombudsman fined a healthcare processor EUR 608,000 in 2023 partly because the DPA lacked adequate data deletion provisions.

How Should You Handle Sub-Processor Obligations?

The sub-processor chain is where many data processing agreement gdpr arrangements break down. Article 28(2) requires that a processor must not engage another processor without prior specific or general written authorisation of the controller.

Under specific authorisation, the processor obtains written consent before engaging each sub-processor. Under general authorisation, the processor informs the controller of intended changes, giving the controller the opportunity to object. The DPA must specify which model applies and document the objection mechanism.

Article 28(4) requires that the same data protection obligations in the controller-processor DPA be imposed on every sub-processor by contract. The processor remains fully liable for the sub-processor’s performance. A 2024 audit by the Danish DPA (Datatilsynet) found that 35% of processor agreements reviewed failed to include adequate sub-processor flow-down clauses, resulting in formal compliance orders.

What Audit Rights Must the DPA Include?

Article 28(3)(h) requires the processor to make available all information necessary to demonstrate compliance and to allow for and contribute to audits conducted by the controller or a mandated auditor. Effective audit clauses should address:

• Scope – whether the controller can audit premises, systems, and documentation, or accept third-party reports (SOC 2, ISO 27001) as a substitute
• Frequency and notice – how often audits may occur and required notice periods
• Cost allocation – who bears audit costs
• Sub-processor coverage – whether audit rights extend down the chain

The DPA must preserve the right to conduct direct audits even where third-party certifications are accepted as the default, particularly following security incidents.

How Should International Transfers Be Addressed?

Where a processor or sub-processor is located outside the EEA, the data processing agreement gdpr must address international data transfers under Chapter V of the GDPR. The DPA should specify:

• The transfer mechanism relied upon – adequacy decision, Standard Contractual Clauses, Binding Corporate Rules, or Article 49 derogation
• The obligation to conduct a Transfer Impact Assessment (TIA)
• Supplementary measures where the TIA reveals gaps, such as encryption with controller-held keys

The EDPB Recommendations 01/2020 on supplementary measures remain the authoritative reference. Any DPA involving transfers to a non-adequate jurisdiction that omits these elements is exposed to enforcement risk.

Common Mistakes in Data Processing Agreements

Using generic templates without customisation. A data processing agreement gdpr that describes the processing as “providing services” without specifying data types, data subject categories, or purposes fails Article 28(3). The Belgian DPA sanctioned a controller in 2023 for using an identical template across 12 processors without adapting it to the specific processing performed by each.

Failing to update DPAs when processing changes. When the scope changes – new data categories, new purposes, new sub-processors – the agreement must be updated. A record of processing activities that reflects current processing but an outdated DPA creates a compliance gap supervisory authorities will identify.

Missing data deletion provisions. The obligation to delete or return personal data at the end of the relationship is frequently absent or vaguely drafted. Specifying the deletion timeline, method, and provision of a deletion certificate strengthens compliance.

Reviewing a portfolio of vendor agreements for all these issues is resource-intensive. Organisations using Legiscope can audit their DPAs in minutes rather than the 140+ hours typically required for manual review, with AI-driven analysis identifying missing clauses and gaps against the Article 28 checklist.

How Does Enforcement Target DPA Failures?

The Greek DPA (HDPA) fined PricewaterhouseCoopers EUR 150,000 in 2019 for processing personal data without a compliant DPA. The authority found that PwC had processed employee data on behalf of a client without any written agreement addressing Article 28 requirements.

In Germany, the Berlin Commissioner for Data Protection fined a real estate company EUR 14.5 million in 2019 (later reduced on appeal), with findings that included inadequate data processing agreements with service providers who had access to tenant data.

The Spanish AEPD imposed a EUR 200,000 fine on a fintech company in 2024 partly because its DPA with a payment processor did not include sub-processor notification and objection mechanisms.

These cases reinforce that supervisory authorities read the actual contract text and sanction specific deficiencies. Meeting the broader GDPR requirements demands that DPAs receive the same attention as any other compliance obligation.

Checklist for a Compliant Data Processing Agreement

Use this checklist alongside your GDPR compliance checklist to verify each DPA in your vendor portfolio:

• [ ] Subject matter, duration, nature, and purpose of processing described specifically
• [ ] Types of personal data and categories of data subjects identified
• [ ] All eight Article 28(3) processor obligations included
• [ ] Sub-processor authorisation model specified (specific or general)
• [ ] Sub-processor flow-down clause requiring equivalent obligations
• [ ] Sub-processor change notification and objection mechanism documented
• [ ] Audit rights preserved, with scope, frequency, and cost terms
• [ ] International transfer mechanism identified with TIA obligations
• [ ] Data deletion or return obligations with timeline and certification
• [ ] Controller due diligence on processor documented

Frequently Asked Questions

Is a data processing agreement always required under GDPR?

Yes, whenever a controller engages a processor to handle personal data on its behalf. Article 28(3) requires a binding written contract with no threshold or de minimis exception. Even a small business using a cloud email provider is in a controller-processor relationship that requires a DPA.

Can we use the processor’s standard DPA template?

You can, provided it meets all Article 28 requirements and accurately describes the specific processing performed. The controller remains responsible for verifying adequacy and customising the template where standard terms do not reflect the actual processing relationship.

What happens if our processor refuses to sign a DPA?

You cannot lawfully engage that processor. If a vendor will not sign a DPA or agree to mandatory Article 28 clauses, you must either negotiate until the agreement is compliant or find an alternative processor. Using a processor without a DPA exposes the controller to enforcement action.

How often should DPAs be reviewed?

There is no fixed review period in the GDPR, but best practice is to review DPAs at least annually and whenever there is a material change in the processing relationship. Your ROPA review cycle is a natural trigger for DPA reviews.

Does the DPA need to cover data breach notification?

Yes. Article 28(3)(f) requires the processor to assist the controller with breach notification obligations under Articles 33 and 34. The DPA should specify the notification timeline (typically without undue delay and within a fixed number of hours), the information to be provided, and the cooperation obligations during incident response.