--- name: dpa-en-template-controller-processor description: "English language Data Processing Agreement (DPA) template under Article 28 GDPR between a controller and a processor. Use when the contract language is English (cross-border deals UK Ireland US providers) and the parties require a stand-alone DPA. Output is a complete English DPA template covering all eight mandatory items of Article 28 (3) GDPR." --- # Data Processing Agreement (DPA) – English Template Controller / Processor ## Zweck / Purpose English-language DPA template under Article 28 GDPR for cross-border deals where the working language is English (UK/IE counterparties, US providers, EU multinationals). Purpose (DE): Englischsprachige Mustervorlage fuer einen Auftragsverarbeitungsvertrag nach Art. 28 DSGVO. ## Wann brauchen Sie diesen Skill - Cross-border deal where one party requires English contract language. - US or UK SaaS / cloud provider is the processor. - Multinational client requires a single DPA across multiple EU subsidiaries. - DPA needs to be aligned with EU SCC modules (Decision (EU) 2021/914) for transfers outside the EEA. ## Rechtlicher Rahmen - Article 28 GDPR – Processor obligations. - Article 28 (3) (a)-(h) GDPR – Eight mandatory contractual items. - Article 32 GDPR – Technical and organisational measures. - Article 33-34 GDPR – Personal data breach notification. - Decision (EU) 2021/914 of 04 June 2021 – Standard Contractual Clauses for international transfers (in force since 27 June 2021). - Decision (EU) 2021/915 of 04 June 2021 – Standard Contractual Clauses for the controller-processor relationship inside the EEA. - UK GDPR – International Data Transfer Agreement (IDTA) where UK personal data is in scope. ## Ablauf / Checkliste 1. Define the parties: Controller, Processor. 2. Annex the description of processing (Annex I). 3. Annex the technical and organisational measures (Annex II). 4. Annex the list of approved sub-processors (Annex III). 5. Identify cross-border transfers and pair the DPA with the appropriate SCC module. 6. Define liability cap, indemnities and audit rights consistent with the playbook. 7. Sign in two counterparts; electronic signature is permitted under Article 28 (9) GDPR. ## Mustertext / Template ``` DATA PROCESSING AGREEMENT This Data Processing Agreement ("DPA") forms part of and is incorporated into the Main Agreement entered into between: (1) [Controller Legal Name], a company organised under the laws of [jurisdiction], with its registered office at [address] ("Controller"); and (2) [Processor Legal Name], a company organised under the laws of [jurisdiction], with its registered office at [address] ("Processor"). The Controller and the Processor are each a "Party" and together the "Parties". 1. DEFINITIONS 1.1 "GDPR" means Regulation (EU) 2016/679. 1.2 "Personal Data", "Processing", "Data Subject", "Sub-processor" and "Supervisory Authority" shall have the meanings ascribed to them in Article 4 GDPR. 1.3 "Annex" means an annex to this DPA which forms an integral part hereof. 2. SCOPE AND ROLES 2.1 The subject matter, duration, nature and purpose of the Processing, the types of Personal Data and the categories of Data Subjects are set out in Annex I. 2.2 The Controller is the controller and the Processor is the processor within the meaning of Article 4 (7) and (8) GDPR. 3. PROCESSING ON DOCUMENTED INSTRUCTIONS (Art. 28 (3) (a) GDPR) 3.1 The Processor shall process the Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law. 3.2 The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection provisions. 4. CONFIDENTIALITY (Art. 28 (3) (b) GDPR) 4.1 The Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 5. SECURITY OF PROCESSING (Art. 28 (3) (c), Art. 32 GDPR) 5.1 The Processor shall implement the technical and organisational measures set out in Annex II. 6. SUB-PROCESSING (Art. 28 (2), (4) GDPR) 6.1 The Processor shall not engage any sub-processor without the prior written authorisation of the Controller. General authorisation is granted for the sub-processors listed in Annex III. 6.2 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least thirty (30) days in advance, giving the Controller the opportunity to object. 7. ASSISTANCE WITH DATA SUBJECT RIGHTS (Art. 28 (3) (e) GDPR) 7.1 The Processor shall assist the Controller, by appropriate technical and organisational measures and insofar as this is possible, in the fulfilment of the Controller's obligation to respond to requests under Chapter III GDPR. 8. ASSISTANCE WITH SECURITY, BREACHES AND DPIA (Art. 28 (3) (f) GDPR) 8.1 The Processor shall notify the Controller without undue delay and in any event within forty-eight (48) hours after becoming aware of a Personal Data breach. 9. RETURN OR DELETION (Art. 28 (3) (g) GDPR) 9.1 Upon termination of the provision of services relating to Processing, the Processor shall, at the choice of the Controller, delete or return all the Personal Data and delete existing copies unless Union or Member State law requires storage of the Personal Data. 10. AUDIT AND INSPECTION (Art. 28 (3) (h) GDPR) 10.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, no more than once per calendar year, save in case of a Personal Data breach. 11. INTERNATIONAL TRANSFERS 11.1 Where Personal Data is transferred outside the EEA, the Parties shall enter into the relevant module of the EU Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 04 June 2021. 12. LIABILITY (Art. 82 GDPR) 12.1 Each Party shall be liable in accordance with Article 82 GDPR. 13. TERM AND TERMINATION 13.1 This DPA shall remain in force for the term of the Main Agreement. 14. GOVERNING LAW AND JURISDICTION 14.1 This DPA shall be governed by the laws of [jurisdiction] and the courts of [court venue] shall have exclusive jurisdiction. Annex I Description of Processing Annex II Technical and Organisational Measures Annex III List of Sub-processors Signed on behalf of the Controller: Signed on behalf of the Processor: __________________________________ __________________________________ Name: Name: Title: Title: Date: Date: ``` ## Typische Drafting-Fehler - "Controller" and "Processor" labels swapped relative to the actual processing reality. - Annexes left blank or filled with marketing language. - Sub-processor notice periods shorter than necessary to exercise meaningful objection rights. - Liability caps that contradict Article 82 GDPR statutory liability. - Audit clauses limited to certifications without a residual on-site right. - Cross-border transfers covered only by general references; SCC module not actually executed. ## Querverweise - `datenschutzrecht/skills/dpa-en-tom-annex-template/SKILL.md` - `datenschutzrecht/skills/avv-eu-kommission-musterklauseln-2021-915/SKILL.md` - `datenschutzrecht/skills/avv-eu-us-data-privacy-framework-bezug/SKILL.md` - `datenschutzrecht/skills/dpa-en-controller-controller-tmpl/SKILL.md` ## Quellen Stand 06/2026 - Article 28 GDPR – Regulation (EU) 2016/679. - Commission Implementing Decision (EU) 2021/914 of 04 June 2021, OJ L 199/31 of 07 June 2021. - Commission Implementing Decision (EU) 2021/915 of 04 June 2021, OJ L 199/18 of 07 June 2021. - EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, adopted 07 July 2021. - Citation rules: `../../../references/zitierweise.md`.