When is a DPA required under GDPR Article 28?

Whenever a controller has personal data processed by an external service provider on instructions — web hosting, cloud/SaaS, payroll, newsletter dispatch, remote IT maintenance with data access. Not required if the third party is a joint controller (Art. 26) or processes for its own purposes.

What are the eight mandatory clauses in a GDPR DPA?

(a) processing only on documented instructions; (b) confidentiality of authorised persons; (c) Art. 32 technical and organisational measures; (d) sub-processor conditions (Art. 28(2) and (4)); (e) assistance with data subject rights; (f) assistance with Art. 32–36 obligations; (g) deletion or return of data at end of services; (h) information to demonstrate compliance, including audits.

Can a sub-processor be engaged without explicit consent?

No. Art. 28(2) requires prior specific or general written authorisation. With general authorisation, the controller must be informed of intended changes and given an opportunity to object. The sub-processor must be bound by the same data-protection obligations (Art. 28(4)).

What are the maximum fines for breaching Article 28?

Up to €10 million or 2 % of global annual turnover under Art. 83(4)(a) GDPR, whichever is higher. If a processor exceeds the controller's instructions, it becomes a controller for that processing under Art. 28(10).

GDPR Article 28 – Data Processing Agreement (DPA)

Machine-readable version: /en/fakten/gdpr-art-28-data-processing-agreement.md · German version: DE

GDPR DPA Article 28 Processor EU Law

Short answer Whenever a controller has personal data processed by an external service provider, Art. 28(3) GDPR requires a written or electronic Data Processing Agreement (DPA). It must specify subject-matter, duration, nature/purpose of processing, type of data, categories of data subjects, and rights/obligations of the controller. It must also include eight mandatory clauses (Art. 28(3) lit. a–h). Sub-processors require prior written authorisation. Fines up to €10 million or 2 % of global annual turnover (Art. 83(4)(a)).

Key facts

Item	Value
Legal basis	Regulation (EU) 2016/679, Article 28
Form	written or electronic (Art. 28(9))
Mandatory clauses	8 (Art. 28(3) lit. a–h)
Sub-processors	prior specific or general written authorisation (Art. 28(2))
Sub-processor obligations	same as in main DPA (Art. 28(4))
EU SCC	Implementing Decision (EU) 2021/915, voluntary
Max fine	€10 m or 2 % global annual turnover (Art. 83(4)(a))
"Becoming a controller"	Art. 28(10) — when processor exceeds instructions

When is a DPA required?

A "processor" relationship (Art. 4(8) GDPR) exists when an external service provider processes personal data on behalf of and under instructions from the controller, without independently deciding on purposes and means. Typical cases: web hosting, cloud and SaaS services, external payroll, newsletter dispatch, IT hosting, remote maintenance with access to production data, external shredding.

Not covered: joint controllers (Art. 26) or third parties processing for their own purposes — those require their own legal basis; a DPA is not enough.

Eight mandatory clauses (Art. 28(3) lit. a–h)

The DPA must oblige the processor to:

(a) process personal data only on documented instructions, including for third-country transfers
(b) ensure confidentiality of authorised persons
(c) take Art. 32 GDPR technical and organisational measures (TOMs)
(d) comply with Art. 28(2) and (4) conditions for engaging sub-processors
(e) assist the controller in responding to data subject rights (Art. 12–22)
(f) assist the controller in complying with Art. 32–36 (security, breaches, DPIA, prior consultation)
(g) at the end of services, delete or return all personal data, at the controller's choice
(h) make available all information necessary to demonstrate compliance, allow and contribute to audits

Additionally, under Art. 28(3) subparagraph 2, the processor must inform the controller immediately if it considers an instruction to be unlawful.

Sub-processors

Under Art. 28(2), engaging further processors requires prior specific or general written authorisation. With general authorisation, the controller must be informed of any intended changes and given an opportunity to object. Under Art. 28(4), the sub-processor must be bound by the same data-protection obligations as in the main DPA. The processor remains fully liable to the controller.

Form and standard contractual clauses

Under Art. 28(9), the contract must be in writing — including electronic form. No handwritten signature is required; signed PDFs or online acceptance suffice if provability is preserved.

Under Art. 28(7) and (8), the EU Commission and national supervisory authorities may adopt standard contractual clauses. The EU Commission published such clauses in Implementing Decision (EU) 2021/915 of 4 June 2021 for processing within the EEA; their use is voluntary.

Liability and sanctions

Art. 83(4)(a) GDPR: fines up to €10 million or 2 % of global annual turnover, whichever is higher.

Art. 28(10): if a processor processes data contrary to the controller's lawful instructions, or determines purposes and means itself, it is deemed a controller for that processing — with all corresponding obligations and liability risks.

Toward data subjects, Art. 82(2) GDPR makes the processor liable only insofar as it has not complied with processor-specific GDPR obligations or has acted contrary to lawful instructions.

Sources

Regulation (EU) 2016/679 – GDPR full text (EUR-Lex): eur-lex.europa.eu
EU Commission Implementing Decision (EU) 2021/915 – SCC for processing under Art. 28: eur-lex.europa.eu
BfDI – Model DPA (PDF, German): bfdi.bund.de
German DSK – Short Paper No. 13 (PDF, German): datenschutzkonferenz-online.de

Last reviewed:: 2026-05-28
Valid from:: 2018-05-25 (entry into force of GDPR)
Status:: current
Source authority:: A (EUR-Lex, EU Commission, BfDI, DSK)
License:: CC BY 4.0

Translation of the German original. The German version is binding and updated daily by the fact-check agent. In case of doubt, refer to the German version.