What is a Data Processing Agreement (DPA) under GDPR Art. 28?

A Data Processing Agreement (DPA) (Dutch: verwerkersovereenkomst) is a mandatory written contract between controller and processor (GDPR Art. 28). Working with a processor without a DPA = GDPR violation (Art. 83(4), fine up to €10m / 2%). Mandatory content (Art. 28(3)): (a) subject + duration + nature + purpose of processing, (b) data types + categories of subjects, (c) controller obligations + rights, (d) processor only acts on instructions, (e) staff under confidentiality, (f) security measures (Art. 32), (g) sub-processors only with approval, (h) assistance with subject rights (Art. 12-22), (i) assistance with Art. 32-36 (security, breaches, DPIA), (j) post-contract: erase or return data, (k) audit rights + evidence. Sub-processor: if processor engages another party (e.g. AWS behind a SaaS), THERE TOO must be a DPA AND you as controller must be informed. SCCs: for processors outside EU (USA, UK, etc) DPA plus Standard Contractual Clauses for the transfer. Practical for SMBs: major SaaS providers (Google, Microsoft, HubSpot, Stripe) offer standard DPAs in their account portal — accept + sign. Many smaller suppliers don't have one → request or switch. Tip for consumers: in an access request you can ask "list of all processors + sub-processors" — if the business can't deliver = probably no DPAs in place.