DPA Template 2026: What Must Be Included, What Must Not (Art. 28 GDPR)
Practitioner note: This article is practice-oriented compliance documentation, not legal advice. We are compliance specialists, not a law firm. For legally binding advice, please consult a qualified attorney.
TL;DR
- A DPA is mandatory for every processing on behalf — under Art. 28 (3) GDPR
- 8 mandatory contents: subject matter, duration, purpose, data types, obligations, confidentiality, sub-processing, TOMs
- BayLDA 2024: Tax advisors are not processors — no DPA required
- Schrems II / DPF annex mandatory for US sub-processors
- Right-to-audit should be explicitly anchored
1. What is a DPA?
A Data Processing Agreement (DPA) is, under Art. 28 (3) GDPR, a mandatory contract between the controller and the processor. It governs the processing of personal data on behalf.
"Processing by a processor shall be governed by a contract or other legal act..." — Art. 28 (3) GDPR
If you do not want to draft the full set of documents from scratch, the GDPR Kit provides a DPA template contract, processor assessment questionnaire and processor inventory Excel.
2. When is a DPA required?
A DPA is required when three criteria converge:
- An external party processes
- personal data for you
- on your instructions (no own processing interest)
Typical processor scenarios:
- IT hosting (AWS, Azure, GCP, Hetzner)
- Cloud software (Microsoft 365, Salesforce, HubSpot)
- Newsletter tools (Mailchimp, Brevo, CleverReach)
- Payroll service providers (often, not always)
- IT maintenance providers with data access
- Backup providers
- SOC / external IT security
3. 8 mandatory contents under Art. 28 (3) GDPR
| Mandatory content | Example |
|---|---|
| 1. Subject matter + duration | "Hosting of the M365 tenant for Mustermann GmbH, contract duration 36 months" |
| 2. Nature and purpose | "Storage of emails, documents, calendar data for business communication" |
| 3. Data types + categories of data subjects | "Master data of employees, customer communication, sporadically Art. 9 data (cases of illness)" |
| 4. Obligations + rights of the controller | Right to issue instructions, right-to-audit, notification of incidents |
| 5. Confidentiality (lit. b) | Processor's employees sign confidentiality declaration |
| 6. Sub-processing (lit. d) | List in advance + approval/objection procedure |
| 7. Assistance with data subject rights (lit. e) | Responses to data subjects within 14 days |
| 8. TOMs (lit. c) + audit (lit. h) | TOM annex + annual right to audit |
4. 6 typical DPA mistakes
- Generic 'template contract from the internet': does not cover your specific processing activities
- Missing sub-processor list: Microsoft has ~80 sub-processors — all must be listed
- Third-country transfer without SCC/DPF annex: mandatory for US tools (Mailchimp, Zoom, Salesforce)
- Right-to-audit missing or ineffective ('with 6 months' advance notice')
- Data return after contract termination not regulated
- Version management: old DPA version from 2018 still in use despite new SCC 2021/914
5. Schrems II / DPF annex
For US processors or sub-processors in third countries: mandatory annex with:
- Standard Contractual Clauses (SCC 2021/914) OR
- DPF certification proof (for DPF-certified US companies)
- Transfer Impact Assessment (TIA)
- Additional technical measures (encryption, pseudonymisation)
6. BayLDA: What is not a DPA
| Profession | Processor or independent controller? |
|---|---|
| Tax advisor | Independent controller (BayLDA 2024) — NO DPA |
| Auditor | Independent controller |
| Attorney | Independent controller (professional confidentiality) |
| Payroll accountant (external) | Generally processor — DPA required |
| Cloud hosting | Processor — DPA required |
| Mailing service provider (letter, parcel) | Independent controller |
7. DPA checklist before signing
- All 8 mandatory contents included?
- Sub-processor list available + objection procedure regulated?
- TOM annex specific (not just "appropriate TOMs")?
- Third-country annex (SCC/DPF) for US sub-processors?
- Right-to-audit contractually anchored?
- Data return + deletion after contract termination regulated?
- Version date + validity documented?
- Both sides signed (digital signatures accepted)?
Frequently asked questions
Is a DPA needed with my tax advisor?
No. BayLDA 2024 clarified: tax advisors are independent controllers, not processors. No DPA under Art. 28 GDPR.
Is the standard provider DPA sufficient?
Often yes, but check: third-country transfer clauses, sub-processor list, data return after contract end, right-to-audit. Adjustments under Art. 28 GDPR are permissible.
DPA with Microsoft 365 — what must be in it?
The MS standard DPA is not enough. Mandatory adjustments: EU Data Boundary activated, DPF guarantee for US sub-processors, telemetry configuration, Copilot tenant isolation.
Must all sub-processors be approved?
Art. 28(2) GDPR: the processor may only engage sub-processors with prior approval. In practice: general approval in the DPA with a right to object to specific sub-processors.
Who is liable for DPA breaches?
The controller is primarily liable in the external relationship. The processor is liable for its own breaches — internal compensation is settled via the DPA. CJEU C-340/21: immaterial damages can be claimed even for fear-of-damage.
What does a professional DPA cost?
Lawyer fees: EUR 800–3,000 per DPA. Adjusting a standard template: EUR 200–800. The Compliance-Kit GDPR Kit: EUR 490–1,490 one-time, with template and assessment questionnaire.
Sources
- Regulation (EU) 2016/679 (GDPR) — Art. 28 processor agreement (As of: 2026-05-02)
- Commission Decision (EU) 2023/1795 — EU-US Data Privacy Framework (As of: 2026-05-02)
- CJEU C-340/21 — Art. 82 GDPR damages (As of: 2026-05-02)
Tools & self-assessments
GDPR Checklist
30 check points for data protection compliance in SMEs.
Fining Calculator
Estimate the potential fine exposure for your organisation.
GDPR Self-Assessment
Structured self-check with maturity score and action roadmap.
Cookie Banner Audit
TDDDG/GDPR check of your cookie banner with concrete correction notes.