← All templates
GDPR · FREE TEMPLATE

GDPR Data Processing Agreement (DPA) — Free Template

GDPR Article 28(3) requires a written contract between Controller and Processor whenever the Processor handles personal data on the Controller's behalf. This template includes every mandatory clause, plus the operational schedules (categories of data, sub-processors, technical and organisational measures) DPAs are evaluated on in DPA enforcement.

Who needs it
  • Any controller engaging a SaaS or cloud processor handling personal data of EEA / UK / Swiss subjects
  • Processors signing customer DPAs (use as a baseline you offer)
  • Sub-processors required by upstream processors (Art. 28(4) flow-down)
  • Any business with website analytics, support tools, or marketing platforms touching EU user data
What's included
  • Subject matter, duration, nature, and purpose of processing (Art. 28(3))
  • Categories of personal data and data subjects (Schedule 1)
  • Documented instructions clause
  • Confidentiality undertakings
  • Security measures (Art. 32) — Schedule 2 TOMs
  • Sub-processor authorisation and flow-down (Art. 28(2) & (4))
  • International transfer mechanism (SCCs 2021/914, UK IDTA, Swiss addendum)
  • Assistance with data-subject requests (Art. 12-23)
  • Breach notification timeline (without undue delay)
  • Return or deletion at end of processing
  • Audit and inspection rights

Template — full text

1. Parties and Subject Matter

This Data Processing Agreement ("DPA") is entered into between [Company Legal Name], [Company Registered Address] ("Controller"), and [Processor Legal Name], [Processor Address] ("Processor"), and forms part of the [Master Services Agreement / Order Form] between the Parties ("Principal Agreement"). It governs Processor's processing of personal data on behalf of Controller and is intended to comply with Article 28 of Regulation (EU) 2016/679 ("GDPR") and, where applicable, the UK GDPR and the Swiss FADP.

2. Definitions

"Personal Data", "Processing", "Controller", "Processor", "Sub-processor", "Data Subject", and "Supervisory Authority" have the meanings given in GDPR Article 4. "Standard Contractual Clauses" or "SCCs" means the EU Commission Implementing Decision 2021/914 modules as applicable.

3. Scope and Roles

Controller appoints Processor to process Personal Data only on documented instructions from Controller, including with regard to transfers to a third country, unless required to do so by EU or Member-State law to which Processor is subject. Processor shall inform Controller of any such legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

4. Details of Processing (Schedule 1)

The subject matter, duration, nature, and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are described in Schedule 1 to this DPA.

5. Confidentiality

Processor shall ensure that all persons authorised to process Personal Data are subject to an enforceable obligation of confidentiality or are under an appropriate statutory duty of confidentiality.

6. Security of Processing (Schedule 2)

Processor shall implement appropriate technical and organisational measures pursuant to GDPR Article 32 to ensure a level of security appropriate to the risk. The measures in place as of the Effective Date are described in Schedule 2 (Technical and Organisational Measures), which Processor may update from time to time provided the updates do not materially reduce the level of protection.

7. Sub-processors

Controller provides general written authorisation for Processor to engage sub-processors, subject to the conditions in this Section. Processor shall:
  • Maintain an up-to-date list of sub-processors at [Sub-processor List URL] and notify Controller of intended additions or replacements at least thirty (30) days in advance
  • Allow Controller to object on reasonable grounds; the Parties shall work in good faith to resolve, failing which Controller may terminate the affected services
  • Impose on each sub-processor, by written contract, the same data protection obligations as in this DPA (Art. 28(4))
  • Remain fully liable to Controller for the performance of any sub-processor's obligations

8. International Transfers

Where Processor transfers Personal Data outside the EEA / UK / Switzerland to a country not benefiting from an adequacy decision, the transfer is governed by the SCCs (Module 2 for Controller-to-Processor; Module 3 for Processor-to-Sub-processor), incorporated by reference into this DPA. The UK International Data Transfer Addendum and the Swiss Addendum apply where relevant. Processor shall complete and document a Transfer Impact Assessment for each destination and apply supplementary measures where required.

9. Data Subject Rights

Taking into account the nature of the processing, Processor shall assist Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling Controller's obligation to respond to requests for exercising Data Subject rights (Art. 12-23) within statutory deadlines.

10. Personal Data Breach Notification

Processor shall notify Controller without undue delay and in no event later than forty-eight (48) hours after becoming aware of a Personal Data Breach. The notification shall include, to the extent known, the nature of the breach, categories and approximate number of Data Subjects affected, categories and approximate number of records concerned, likely consequences, and measures taken or proposed.

11. Data Protection Impact Assessments

Processor shall provide reasonable assistance to Controller with any Data Protection Impact Assessments (Art. 35) and prior consultations with Supervisory Authorities (Art. 36) that Controller reasonably considers required.

12. Deletion or Return of Personal Data

Upon termination of the Principal Agreement, Processor shall, at the choice of Controller, delete or return all Personal Data and delete existing copies, unless EU or Member-State law requires storage of the Personal Data. Processor shall provide written confirmation of deletion within thirty (30) days.

13. Audit and Information Rights

Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by Controller or an auditor mandated by Controller. Audits shall be at Controller's expense, subject to reasonable notice and confidentiality undertakings, and may be satisfied by Processor's most recent SOC 2 Type II or ISO 27001 audit report unless Controller has reasonable grounds to require an on-site audit.

14. Term, Liability, and Miscellaneous

This DPA is effective on the date of the last signature and continues for the term of the Principal Agreement. Liability under this DPA is subject to the limitations of liability in the Principal Agreement, except where prohibited by applicable law. If any provision of this DPA is invalid, the remaining provisions remain in effect.

Schedule 1 — Description of Processing

Subject matter: [e.g. provision of SaaS services described in the Principal Agreement] Duration: For the term of the Principal Agreement plus any post-termination retention Nature and purpose: [e.g. hosting, storage, support, analytics, billing] Categories of Personal Data: [contact data, account credentials, content uploaded, usage logs, IP address, device IDs, billing data] Categories of Data Subjects: [Controller's employees, end users, customers, prospects] Special categories (if any): [none / specify] Frequency: [continuous / on demand] Retention: [as set out in Controller's instructions or the Principal Agreement]

Schedule 2 — Technical and Organisational Measures

Processor implements at least the following measures:
  • Pseudonymisation and encryption at rest (AES-256) and in transit (TLS 1.2+)
  • Role-based access control with least-privilege and quarterly access reviews
  • MFA on all admin and production access
  • Centralised logging and SIEM alerting on anomalous activity
  • Documented incident response and breach notification procedures
  • Annual penetration testing and continuous vulnerability scanning
  • Background checks and confidentiality undertakings for personnel
  • Vendor risk management and sub-processor due diligence
  • Regular backups with restore testing
  • Business continuity and disaster recovery plan with annual exercise
Disclaimer: This template is provided for general informational purposes only and does not constitute legal advice. Customise to your specific facts and have counsel review before execution.

Fields you customise

Controller and Processor legal names and addressesPrincipal Agreement referenceSub-processor list URLSchedule 1 — categories of data, data subjects, retentionSchedule 2 — actual TOMs implemented (update from defaults)Governing law (typically Controller's jurisdiction)
Email me a clean copy of this template
Polished HTML you can print, paste into Word, or share with counsel. No drip spam — one delivery email and one follow-up with the framework audit.
We'll send the template + one audit-invitation follow-up. Unsubscribe anytime.
Want a branded, multi-framework, board-ready version?

The ComplianceIQ generator produces this document in your company name and brand, mapped across every framework you need (HIPAA + GDPR + SOC 2 + ISO simultaneously), exported as DOCX + PDF, and scored against the audit checklist. Pre-populated with your tenant-specific values so nothing is left in brackets.

Run free GDPR audit Generate branded version

FAQ

Is this DPA aligned with the 2021 SCCs?
Yes. Section 8 incorporates the EU Commission Implementing Decision 2021/914 SCCs by reference. For controller-to-processor onward transfers you would attach the Module 2 clauses; for processor-to-sub-processor you would attach Module 3. The UK IDTA and Swiss addendum slot in for UK / Swiss data subjects.
Why a 48-hour breach notification deadline?
GDPR requires Controllers to notify the Supervisory Authority within 72 hours of becoming aware of a breach. Building a 48-hour processor-to-controller deadline gives the Controller a 24-hour buffer to triage and notify — exactly the operational lead time DPAs scrutinise during enforcement.
Can a Processor object to a customer's DPA?
Yes — Processors regularly require their own DPA. Use this template as a starting baseline for the terms you can accept. The non-negotiables for Controllers are the Art. 28(3) clauses (instructions, confidentiality, security, sub-processors, data-subject assistance, breach notification, deletion, audit) — those must remain intact.
Does this cover the UK GDPR and Swiss FADP?
Yes — Section 1 extends the DPA's scope to the UK GDPR and Swiss FADP, and Section 8 references the UK International Data Transfer Addendum and Swiss Addendum to the SCCs for cross-border transfers.

What happens when this control fails

Meta Platforms
€1.2B
Largest GDPR fine ever — EU→US data transfers under invalidated Privacy Shield framework
Amazon Europe Core
€746M
Largest GDPR fine at the time — behavioural ad targeting without valid consent
TikTok
€345M
Children's accounts defaulted to public — GDPR Articles 5, 12, 24, 25 violations

More free templates

HIPAA Business Associate Agreement (BAA)SOC 2 Access Control PolicySOC 2 Incident Response PlanISO 27001 Information Security Policy