Back to Blog
GDPR Compliance
10 min read

GDPR Article 28: Data Processing Agreement Requirements

Complete guide to GDPR Article 28 data processing agreements. Covers mandatory clauses, sub-processor requirements, and common DPA mistakes to avoid.

DPAArticle 28GDPRProcessorsContracts

When you engage vendors, service providers, or partners who process personal data on your behalf, GDPR Article 28 mandates a written contract—the Data Processing Agreement (DPA). This guide explains exactly what your DPAs must contain and how to ensure compliance.

Controller vs. Processor: Getting It Right

Before drafting a DPA, correctly classify the relationship:

  • Controller: Determines the purposes and means of processing
  • Processor: Processes data only on behalf of and under instructions from the controller
  • Joint Controllers: Multiple parties jointly determine purposes and means

Classification errors are common and costly. A DPA won't make a controller relationship compliant. If your "processor" actually determines what data to collect and why, they're a controller—requiring different arrangements.

Article 28(3) Mandatory Clauses

Article 28(3) specifies that the DPA must contain provisions requiring the processor to:

  • Process only on documented instructions from the controller
  • Ensure staff confidentiality obligations
  • Implement appropriate security measures (Article 32)
  • Respect sub-processor engagement conditions
  • Assist with data subject rights requests
  • Assist with DPIA and prior consultation obligations
  • Delete or return data at contract end
  • Allow and contribute to audits

Sub-Processor Requirements

Article 28(2) and (4) govern sub-processor engagement:

  • Option 1: Specific prior authorization for each sub-processor
  • Option 2: General written authorization with notification of changes
  • If general authorization: Controller has right to object to changes
  • Flow-down: Same data protection obligations must apply to sub-processors
  • Liability: Original processor remains liable for sub-processor compliance

Most SaaS vendors use general authorization. Ensure you have a process to review sub-processor change notifications and object if necessary.

Security Requirements

The DPA must reference Article 32 security measures. Best practice is to include:

  • Specific security measures in an annex or schedule
  • Reference to certifications (ISO 27001, SOC 2)
  • Encryption requirements
  • Access control standards
  • Incident response obligations
  • Regular security testing requirements

International Transfers

If the processor or sub-processors are located outside the EEA:

  • DPA must address transfer mechanisms
  • Standard Contractual Clauses (SCCs) often incorporated
  • Transfer Impact Assessments may be required
  • Document adequacy decisions if applicable

Common DPA Mistakes

1. Incomplete Subject Matter Description

Article 28(3) requires the DPA to set out "the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects." Generic descriptions like "business purposes" are insufficient.

2. Missing Audit Rights

Some vendor-provided DPAs limit audit rights to certification reports. While practical, ensure you retain the right to conduct or commission independent audits if needed.

3. Inadequate Data Return/Deletion

Specify what happens to data at contract end:

  • Controller's choice of deletion or return
  • Timeline for deletion (e.g., 30 days)
  • Certification of deletion
  • Handling of backup copies

4. Ignoring Sub-Processor Lists

You need to know who processes your data. Maintain an up-to-date list of all sub-processors for each vendor, including their locations and functions.

DPA Review Checklist

  • All Article 28(3) clauses present?
  • Processing scope clearly defined?
  • Sub-processor conditions specified?
  • Current sub-processor list available?
  • Security measures documented?
  • International transfer provisions (if applicable)?
  • Audit rights preserved?
  • Data subject rights assistance addressed?
  • Breach notification requirements specified?
  • Data deletion/return terms clear?

Relationship to ROPA

Your ROPA should reference DPAs for each processing activity involving processors. This creates a clear audit trail:

  • Processing activity → Processor → DPA → Sub-processor list
  • Update ROPA when processors or sub-processors change
  • Link DPA documents to ROPA entries for easy access

Managing DPAs at Scale

Organizations with numerous vendors face DPA management challenges: tracking renewal dates, monitoring sub-processor changes, ensuring consistent terms, and maintaining audit documentation.

MultiComply integrates DPA management with your ROPA, enabling you to link processors to processing activities, track sub-processor notifications, and maintain audit-ready documentation. Start your free trial to simplify vendor compliance.

Explore This Feature

Learn more about how MultiComply can help you with this compliance area.

View Feature Details

Related Articles

EU Pay Transparency Directive 2023/970: Complete Compliance Guide

Everything you need to know about the EU Pay Transparency Directive. Covers reporting requirements, job posting obligations, employee rights, and implementation timeline for June 2026.

14 min read

GDPR DSAR 30-Day Deadline: What Happens If You Miss It?

Complete guide to the GDPR 30-day DSAR response deadline. Learn about extensions, exemptions, consequences of non-compliance, and best practices for meeting deadlines.

9 min read

When is a DPIA Required? GDPR Article 35 Explained

Learn when GDPR Article 35 requires a Data Protection Impact Assessment. Includes the mandatory triggers, EDPB guidance, and practical examples.

10 min read

Ready to Simplify Your Compliance?

14-day free trial, no credit card required. Start managing your GDPR compliance today.

Start Free TrialFree GDPR Assessment