Data Processing Agreement (DPA) — template GDPR Art. 28

See our article DPA. Mandatory DPA content (GDPR Art. 28(3)): (a) subject + duration + nature + purpose, (b) data types + categories, (c) controller obligations + rights, (d) processor only acts on instruction, (e) staff under confidentiality, (f) security (Art. 32), (g) sub-processors with approval, (h) data-subject rights assistance, (i) assistance with security/breach/DPIA, (j) data return/erase after contract end, (k) audit rights + evidence. Sub-processor aspect: if processor engages a third party (e.g. AWS behind a SaaS), there MUST ALSO be a DPA AND you as controller must know. Schrems II addition: for processor outside EU (USA, UK, etc) DPA plus SCCs + Transfer Impact Assessment for the transfer. For SMB practical: major SaaS providers (Google, Microsoft, HubSpot, Stripe) offer standard DPAs in account portal — accept + sign. For smaller providers: request or switch. Standard NL templates: NBA (accountants), SIVON (education), Zorginstituut (healthcare) have sector-specific DPAs free. For standalone DPA: AP template + ICTRecht open-source DPA as base.