---
title: GDPR Article 28 – Data Processing Agreement (DPA)
slug: gdpr-art-28-data-processing-agreement
topic: data-protection
lang: en
valid_from: 2018-05-25
valid_to: null
last_reviewed: 2026-05-28
status: current
authority_level: A
license: CC-BY-4.0
url: https://nexvyra.de/en/fakten/gdpr-art-28-data-processing-agreement.md
wikidata_subjects: [Q1172506, Q3933473]
de_version: https://nexvyra.de/fakten/auftragsverarbeitung-art-28.html
---

# GDPR Article 28 – Data Processing Agreement (DPA)

## Short answer

Whenever a controller has personal data processed by an external service provider, Art. 28(3) GDPR requires a **written or electronic contract** — the Data Processing Agreement (DPA, German: Auftragsverarbeitungs-Vertrag / AVV). The DPA binds the processor to the controller's instructions and must set out **the subject-matter, duration, nature and purpose of processing, type of personal data, categories of data subjects, and the obligations and rights of the controller**. Additionally, Art. 28(3) lit. a–h GDPR mandates **eight specific clauses** (from instruction-only processing and confidentiality, through Art. 32 security measures, sub-processor rules, assistance obligations, to data return/erasure and audit rights). Violations of Art. 28 can be fined up to **€10 million or 2 % of global annual turnover** under Art. 83(4)(a) GDPR.

## Key facts

| Item | Value |
|---|---|
| Legal basis | Regulation (EU) 2016/679, Article 28 |
| Obligation to contract | Art. 28(3) sentence 1 GDPR |
| Form | written or electronic (Art. 28(9)) |
| Processor (legal definition) | Art. 4(8) GDPR – natural or legal person processing data on behalf |
| Processor selection duty | Art. 28(1) – only processors providing sufficient guarantees of GDPR compliance |
| Mandatory clauses | Art. 28(3) lit. a–h GDPR (eight items) |
| Minimum specifications (Art. 28(3) sentence 1) | subject-matter, duration, nature and purpose of processing, type of personal data, categories of data subjects, controller's rights and obligations |
| Sub-processors (Art. 28(2) and (4)) | only with prior specific or general written authorisation; same obligations must be imposed downstream |
| Standard contractual clauses (Art. 28(7) and (8)) | EU Commission and supervisory authorities may adopt clauses |
| Max fine (Art. 83(4)(a)) | up to €10 million or 2 % of global annual turnover |
| Independent processor liability (Art. 82(2)) | for breach of obligations specifically directed to processors |

## When is a DPA required?

A "processor" relationship under Art. 4(8) GDPR exists when an external service provider processes personal data **on behalf of and under instructions from** the controller, without independently determining the purposes and means of processing. Typical cases:

- web hosting,
- cloud storage and SaaS services,
- external payroll services,
- newsletter dispatch services,
- external IT hosting,
- remote maintenance with access to production data,
- external document shredding services.

Not covered: cases where the external party is a **joint controller** (Art. 26 GDPR) or processes the data for its own purposes — those require their own legal basis, and a DPA alone is not sufficient.

## Eight mandatory clauses (Art. 28(3) lit. a–h)

The DPA must oblige the processor to:

- **(a)** process personal data **only on documented instructions** of the controller — including in relation to third-country transfers — unless EU or Member State law requires otherwise;
- **(b)** ensure that persons authorised to process the personal data have **committed themselves to confidentiality** or are under an appropriate statutory obligation of confidentiality;
- **(c)** take all measures required under **Art. 32 GDPR** — appropriate **technical and organisational measures (TOMs)** for security;
- **(d)** comply with the conditions in Art. 28(2) and (4) for **engaging sub-processors**;
- **(e)** **assist the controller** by appropriate TOMs in fulfilling its obligation to respond to data subject rights requests (Art. 12–22 GDPR), where possible;
- **(f)** **assist the controller** in ensuring compliance with Art. 32–36 GDPR (security of processing, data breach notification, impact assessments, prior consultation);
- **(g)** at the end of the processing services, **delete or return all personal data** to the controller, at the controller's choice, unless storage is required by law;
- **(h)** make available to the controller **all information necessary to demonstrate compliance** with Art. 28 obligations and allow for and contribute to **audits** and inspections.

Under Art. 28(3) subparagraph 2 GDPR, the processor must also immediately inform the controller if it considers an instruction to be unlawful.

## Minimum specifications in the contract (Art. 28(3) sentence 1)

In addition to the eight items, the DPA must specify the **subject-matter, duration, nature and purpose of processing, type of personal data, categories of data subjects, and the obligations and rights of the controller**. These points are not lettered in the regulation, but they are equally mandatory and are typically captured in a separate annex in supervisory-authority model contracts.

## Sub-processors (sub-processing)

Under Art. 28(2) GDPR, the processor may engage further processors (sub-processors) **only with prior specific or general written authorisation** from the controller. With general authorisation, the processor must inform the controller of any intended changes and give the controller an opportunity to object.

Under Art. 28(4) GDPR, the sub-processor must be bound by **the same data protection obligations** as those in the main contract between controller and processor. If the sub-processor breaches its obligations, the processor remains fully liable to the controller.

## Form and standard contractual clauses

Under Art. 28(9) GDPR, the contract must be **in writing, including in electronic form**. A handwritten signature is not required; electronic conclusion (e.g., signed PDF, online acceptance) is sufficient if provability is preserved.

Under Art. 28(7) and (8) GDPR, the EU Commission and national supervisory authorities may adopt **standard contractual clauses**. The EU Commission published such clauses for processing inside the EEA in Implementing Decision (EU) 2021/915 of 4 June 2021; their use is voluntary.

## Liability and sanctions

Violations of Art. 28 obligations are sanctioned under **Art. 83(4)(a) GDPR** with administrative fines of up to **€10 million or 2 % of the worldwide annual turnover** of the preceding financial year — whichever is higher.

If a processor processes data **contrary to the lawful instructions** of the controller, or determines the purposes and means of processing itself, it is deemed to be a **controller in respect of that processing** under Art. 28(10) GDPR — with all corresponding obligations and liability risks.

Toward third parties, under Art. 82(2) GDPR the processor is liable to data subjects only insofar as it has not complied with obligations specifically directed at processors, or has acted contrary to the controller's lawful instructions.

## Sources

- Regulation (EU) 2016/679 – GDPR full text (EUR-Lex, English):
  https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679
- BfDI – Model DPA (PDF, German):
  https://www.bfdi.bund.de/SharedDocs/Downloads/DE/Muster/Muster_zur_Auftragsverarbeitung.pdf
- German DSK – Short Paper No. 13: Processing on Behalf, Art. 28 GDPR (PDF, German):
  https://www.datenschutzkonferenz-online.de/media/kp/dsk_kpnr_13.pdf
- EU Commission Implementing Decision (EU) 2021/915 of 4 June 2021 (Standard Contractual Clauses for processing under Art. 28):
  https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021D0915
- Lower Saxony DPA – DPA under Art. 28 GDPR (German):
  https://www.lfd.niedersachsen.de/startseite/themen/auftragsverarbeitung_nach_art_28_ds_gvo/auftragsverarbeitung-nach-art-28-dsgvo-179673.html

## German version

- [DSGVO Art. 28 – Auftragsverarbeitungs-Vertrag (AVV)](https://nexvyra.de/fakten/auftragsverarbeitung-art-28.html)

## Status

- Last reviewed: 2026-05-28
- Valid from: 2018-05-25 (entry into force of GDPR)
- Status: current
- Source authority: A (EUR-Lex, EU Commission, BfDI, DSK, German state DPAs)
- License: CC BY 4.0