GDPR Article 28 DPA: The Clauses You Must Have and How to Negotiate Them

TL;DR

• Article 28(3) requires 8 specific clauses in every DPA between a controller and a processor.
• Enterprise customers push for broad audit rights and short subprocessor notification windows; vendors push back.
• The EU 2021 Controller-Processor SCCs can function as your DPA directly — no custom drafting required.

GDPR Article 28 is the most operational clause in the regulation. Article 5 tells you what principles to respect. Article 28 tells you exactly what must be written into every contract between a controller and a processor. It is enforceable both contractually (the other party can sue you) and regulatorily (a Data Protection Authority can fine you for an incomplete DPA).

This guide walks through every mandatory clause, the common variations enterprise procurement teams demand, and the negotiation positions that typically hold.

Who Is Controller and Who Is Processor

Before drafting anything, establish the relationship correctly.

A controller determines the purposes and means of processing. In B2B SaaS, the customer is typically the controller for the end-user data they upload into your product. The controller decides why the data is processed and how.

A processor processes personal data on behalf of a controller. The SaaS vendor is the processor when handling customer-uploaded data. The processor follows the controller's instructions and cannot use the data for independent purposes.

Most SaaS vendors are both simultaneously: controller for their own employees, marketing leads, and website visitors; processor for their customers' end-user data. A single DPA can cover both relationships with appropriate structure, but in enterprise procurement most buyers request a dedicated controller-processor DPA.

For the full picture of how these roles fit, see our GDPR operations guide.

The 8 Mandatory Article 28(3) Clauses

Article 28(3) requires the DPA to set out:

1. Subject Matter, Duration, Nature, and Purpose of Processing

A clear description of what data is processed, why, for how long, and as part of what service. Generic language ("to provide the Services") fails audit scrutiny. The clause should reference the specific service (e.g., "customer support ticketing via [Product Name] Platform") and tie to your service agreement.

Minimum content: service description, processing operations (storage, analysis, transmission), purpose (support delivery, authentication, analytics), duration (term of the Main Agreement plus retention period).

2. Type of Personal Data and Categories of Data Subjects

Specific enumeration. Enterprise procurement reviews DPAs looking for this section in particular — vague language here is a common rejection trigger.

Minimum content: categories of data subjects (customer's employees, customer's end users, etc.), categories of personal data (contact information, account credentials, usage data, IP addresses, etc.). Some industries require explicit mention of special category data under Article 9 if applicable.

3. Obligations and Rights of the Controller

This clause confirms the controller retains its decision-making authority. Typically references the controller's right to instruct the processor, the controller's ongoing obligations under GDPR, and the controller's right to approve changes that affect processing.

4. Processor Obligations

This is the bulk of the DPA. Article 28(3)(a)–(h) specifies eight processor obligations that must be written in:

(a) Process only on documented instructions. The processor acts only per written instructions and flags any instruction that would violate EU or member state law.

(b) Confidentiality. Personnel processing the data commit to confidentiality (contractual or statutory).

(c) Article 32 security measures. Technical and organizational measures appropriate to risk. Do not leave this generic — specify: encryption at rest, encryption in transit, MFA, access controls, logging, vulnerability management, penetration testing cadence.

(d) Subprocessor restrictions. No engagement of another processor without prior specific or general written authorization of the controller.

(e) Assistance with data subject rights. Technical and operational assistance to enable the controller to respond to DSARs and other data subject rights within GDPR timelines. See our DSAR workflow guide for operational detail.

(f) Assistance with Articles 32–36. Security, breach notification, data protection impact assessments, and prior consultation.

(g) Data deletion or return at contract end. At the controller's choice, delete or return all personal data at the end of the service. Copies must also be deleted unless EU or member state law requires retention.

(h) Audit rights. The processor makes available information necessary to demonstrate compliance and allows for and contributes to audits.

5. Subprocessor Flow-Down

If the processor engages subprocessors, the same data protection obligations flow down to those subprocessors by contract. The processor remains fully liable to the controller for subprocessor failures.

6. International Transfers

If processing involves transfer of personal data outside the EEA, the DPA must reference an appropriate transfer mechanism: 2021 Standard Contractual Clauses, adequacy decision, or binding corporate rules. For transfers to the US, also address Data Privacy Framework status if the vendor is certified.

7. Term and Termination

The DPA must run concurrently with the underlying service agreement. Upon termination, the data deletion or return obligation kicks in. Many DPAs specify a 30- or 60-day window for return and a subsequent 30- or 60-day window for deletion (including backups).

8. Governing Law and Dispute Resolution

While not explicitly listed in Article 28(3), every enforceable DPA includes governing law and a dispute resolution mechanism. Most B2B SaaS DPAs use the customer's governing law (or the controller's home jurisdiction) and either the courts of that jurisdiction or agreed arbitration.

Clauses That Are Not Mandatory but Always Negotiated

Beyond the Article 28(3) mandatory content, most enterprise DPAs include several clauses that become the negotiation battleground.

Subprocessor Notification Windows

Enterprise position: 30 days' prior notice before adding a new subprocessor, with the right to object.

Vendor position: 15 to 30 days' notice, with the right to object limited to "reasonable" security-based grounds.

Common compromise: 30 days' notice to customer contacts listed on the account, right to object within 15 days, constructive consent if no objection.

Audit Rights

Enterprise position: Right to conduct on-site audits up to once per year, with reasonable notice.

Vendor position: Third-party audit reports (SOC 2, ISO 27001) satisfy audit rights; customer-initiated audits available only for cause or regulatory requirement.

Common compromise: Third-party audit reports provided annually; customer-specific audits for cause (breach, regulatory inquiry) only, with 30 days' notice and vendor-reasonable cost allocation.

Breach Notification Timeline

Enterprise position: 24 hours from awareness.

Vendor position: 72 hours (aligned with GDPR Article 33 regulator notification deadline).

Common compromise: 48 hours "without undue delay after becoming aware." Do not commit to 24 hours unless your incident response process genuinely supports it.

Data Deletion Windows

Enterprise position: Delete all data within 30 days of contract termination, including backups, with a deletion certificate.

Vendor position: Return or delete within 90 days; backups overwritten within the backup rotation schedule (typically 35–90 days); certificate of deletion available on request but not automatic.

Common compromise: Live data deletion within 30 days; backup overwrite per documented rotation schedule with maximum 90-day window; deletion confirmation on request.

Liability Caps

Enterprise position: Uncapped liability for GDPR breaches (or super-cap at 2x annual fees).

Vendor position: Liability capped at annual fees or 12 months' fees, consistent with the main services agreement.

Common compromise: Super-cap at 2x annual fees for data protection breaches; carve-outs for gross negligence, willful misconduct, and regulatory fines.

Using the 2021 EU Standard Contractual Clauses

The European Commission adopted new controller-processor SCCs in June 2021. These SCCs are explicitly designed to fulfill Article 28 requirements and can be used as the DPA directly, rather than as an annex to a custom DPA.

When to use SCCs as the DPA: You want a clean, regulator-tested instrument. Enterprise customers that accept SCC-based DPAs reduce negotiation time to days rather than weeks.

When to use a custom DPA: Your enterprise customers require their own format. Most Fortune 500 vendor risk teams have a preferred DPA template — negotiate their template rather than imposing SCCs if deal velocity matters.

Hybrid approach: Use a short custom DPA that incorporates the 2021 SCCs by reference and adds commercially-negotiated terms (liability, audit, breach notification specifics) in a top-layer schedule. This is increasingly the dominant pattern in enterprise B2B SaaS.

Subprocessor List Discipline

Regardless of DPA language, maintain a current subprocessor list. This list lives on your trust center and includes:

• Subprocessor legal name
• Service provided
• Processing location (country)
• Categories of data processed
• Date added

Update the list within 24 hours of any change. Customers on notification-based DPA clauses will audit against this list; discrepancies between your actual subprocessors and your public list create GDPR and contractual issues.

For subprocessor management as part of a full vendor risk program, see our TPRM guide.

DPA Negotiation Playbook for B2B SaaS

When an enterprise customer sends their DPA, work through it in this order.

Step 1: Check the Article 28(3) mandatory content. Confirm all 8 clauses are present. Push back if any are missing (rare; most enterprise DPAs over-specify).

Step 2: Identify the negotiable positions. Subprocessor notification, audit rights, breach timeline, liability, data deletion. Pre-approve your negotiating ranges internally before the first call.

Step 3: Flag jurisdictional issues. If the DPA specifies a jurisdiction you cannot accept (e.g., a country where you have no operating presence), flag early.

Step 4: Review transfer mechanism. If the DPA references SCCs for international transfers, confirm the correct module (controller-to-processor) and include the required annexes.

Step 5: Cross-check with your own vendor DPAs. You cannot offer your customer protections stronger than what you yourself receive from your subprocessors. If your customer requires 30-day subprocessor notification and your AWS contract gives you 14-day notice, you have a flow-down gap.

Step 6: Sign and file. Once agreed, version-control the DPA, file it with your legal document management system, and reference it in your subprocessor list and procurement kit.

Common Mistakes

Using a 2018-era DPA template. The 2021 SCCs superseded the 2010 clauses. DPAs referencing the old SCCs are invalid for international transfers initiated after December 27, 2022.

Vague Article 32 security measures. "Appropriate security measures" is not enough. Specify encryption, access control, incident response cadence, penetration testing.

Missing subprocessor approval mechanism. Failing to specify general or specific authorization is a common audit finding.

Inconsistent data categories. DPA lists "account data" but your actual service processes behavioral analytics that includes health information. The DPA must reflect reality.

No deletion certificate process. Customer requests deletion certificate at contract end; vendor has no process to produce one. Build the process before the first customer requests it.

Getting Started

If you are a B2B SaaS operating in Europe or selling to EU enterprise, your DPA template is a top-five sales asset. Treat it as product, not legal administration.

For teams that need a GDPR-compliant DPA template, subprocessor governance, and DSAR workflow designed for enterprise customers, CertifyOps delivers operational GDPR programs that pass enterprise procurement and regulator review.