---
name: dpa-en-template-controller-processor
description: "English language Data Processing Agreement (DPA) template under Article 28 GDPR between a controller and a processor. Use when the contract language is English (cross-border deals UK Ireland US providers) and the parties require a stand-alone DPA. Output is a complete English DPA template coverin..."
---

# Data Processing Agreement (DPA) – English Template Controller / Processor

## Zweck / Purpose

English-language DPA template under Article 28 GDPR for cross-border deals where the working language is English (UK/IE counterparties, US providers, EU multinationals). Purpose (DE): Englischsprachige Mustervorlage für einen Auftragsverarbeitungsvertrag nach Art. 28 DSGVO.

## Wann dieses Modul hilft

- Cross-border deal where one party requires English contract language.
- US or UK SaaS / cloud provider is the processor.
- Multinational client requires a single DPA across multiple EU subsidiaries.
- DPA needs to be aligned with EU SCC modules (Decision (EU) 2021/914) for transfers outside the EEA.

## Rechtlicher Rahmen

- Article 28 GDPR – Processor obligations.
- Article 28 (3) (a)-(h) GDPR – Eight mandatory contractual items.
- Article 32 GDPR – Technical and organisational measures.
- Article 33-34 GDPR – Personal data breach notification.
- Decision (EU) 2021/914 of 04 June 2021 – Standard Contractual Clauses for international transfers (in force since 27 June 2021).
- Decision (EU) 2021/915 of 04 June 2021 – Standard Contractual Clauses for the controller-processor relationship inside the EEA.
- UK GDPR – International Data Transfer Agreement (IDTA) where UK personal data is in scope.

## Ablauf / Checkliste

1. Define the parties: Controller, Processor.
2. Annex the description of processing (Annex I).
3. Annex the technical and organisational measures (Annex II).
4. Annex the list of approved sub-processors (Annex III).
5. Identify cross-border transfers and pair the DPA with the appropriate SCC module.
6. Define liability cap, indemnities and audit rights consistent with the playbook.
7. Sign in two counterparts; electronic signature is permitted under Article 28 (9) GDPR.

## Mustertext / Template

```
DATA PROCESSING AGREEMENT

This Data Processing Agreement ("DPA") forms part of and is incorporated into the
Main Agreement entered into between:

 (1) [Controller Legal Name], a company organised under the laws of [jurisdiction],
 with its registered office at [address] ("Controller"); and

 (2) [Processor Legal Name], a company organised under the laws of [jurisdiction],
 with its registered office at [address] ("Processor").

The Controller and the Processor are each a "Party" and together the "Parties".

1. DEFINITIONS
1.1 "GDPR" means Regulation (EU) 2016/679.
1.2 "Personal Data", "Processing", "Data Subject", "Sub-processor" and "Supervisory
 Authority" shall have the meanings ascribed to them in Article 4 GDPR.
1.3 "Annex" means an annex to this DPA which forms an integral part hereof.

2. SCOPE AND ROLES
2.1 The subject matter, duration, nature and purpose of the Processing, the types
 of Personal Data and the categories of Data Subjects are set out in Annex I.
2.2 The Controller is the controller and the Processor is the processor within the
 meaning of Article 4 (7) and (8) GDPR.

3. PROCESSING ON DOCUMENTED INSTRUCTIONS (Art. 28 (3) (a) GDPR)
3.1 The Processor shall process the Personal Data only on documented instructions
 from the Controller, including with regard to transfers of Personal Data to
 a third country or an international organisation, unless required to do so by
 Union or Member State law.
3.2 The Processor shall immediately inform the Controller if, in its opinion, an
 instruction infringes the GDPR or other applicable data protection provisions.

4. CONFIDENTIALITY (Art. 28 (3) (b) GDPR)
4.1 The Processor shall ensure that persons authorised to process the Personal Data
 have committed themselves to confidentiality or are under an appropriate
 statutory obligation of confidentiality.

5. SECURITY OF PROCESSING (Art. 28 (3) (c), Art. 32 GDPR)
5.1 The Processor shall implement the technical and organisational measures set
 out in Annex II.

6. SUB-PROCESSING (Art. 28 (2), (4) GDPR)
6.1 The Processor shall not engage any sub-processor without the prior written
 authorisation of the Controller. General authorisation is granted for the
 sub-processors listed in Annex III.
6.2 The Processor shall inform the Controller of any intended changes concerning
 the addition or replacement of sub-processors at least thirty (30) days in
 advance, giving the Controller the opportunity to object.

7. ASSISTANCE WITH DATA SUBJECT RIGHTS (Art. 28 (3) (e) GDPR)
7.1 The Processor shall assist the Controller, by appropriate technical and
 organisational measures and insofar as this is possible, in the fulfilment of
 the Controller's obligation to respond to requests under Chapter III GDPR.

8. ASSISTANCE WITH SECURITY, BREACHES AND DPIA (Art. 28 (3) (f) GDPR)
8.1 The Processor shall notify the Controller without undue delay and in any event
 within forty-eight (48) hours after becoming aware of a Personal Data breach.

9. RETURN OR DELETION (Art. 28 (3) (g) GDPR)
9.1 Upon termination of the provision of services relating to Processing, the
 Processor shall, at the choice of the Controller, delete or return all the
 Personal Data and delete existing copies unless Union or Member State law
 requires storage of the Personal Data.

10. AUDIT AND INSPECTION (Art. 28 (3) (h) GDPR)
10.1 The Processor shall make available to the Controller all information necessary
 to demonstrate compliance with this DPA and Article 28 GDPR, and allow for and
 contribute to audits, including inspections, conducted by the Controller or
 another auditor mandated by the Controller, no more than once per calendar
 year, save in case of a Personal Data breach.

11. INTERNATIONAL TRANSFERS
11.1 Where Personal Data is transferred outside the EEA, the Parties shall enter
 into the relevant module of the EU Standard Contractual Clauses adopted by
 Commission Implementing Decision (EU) 2021/914 of 04 June 2021.

12. LIABILITY (Art. 82 GDPR)
12.1 Each Party shall be liable in accordance with Article 82 GDPR.

13. TERM AND TERMINATION
13.1 This DPA shall remain in force for the term of the Main Agreement.

14. GOVERNING LAW AND JURISDICTION
14.1 This DPA shall be governed by the laws of [jurisdiction] and the courts of
 [court venue] shall have exclusive jurisdiction.

Annex I Description of Processing
Annex II Technical and Organisational Measures
Annex III List of Sub-processors

Signed on behalf of the Controller: Signed on behalf of the Processor:
__________________________________ __________________________________
Name: Name:
Title: Title:
Date: Date:
```

## Typische Drafting-Fehler

- "Controller" and "Processor" labels swapped relative to the actual processing reality.
- Annexes left blank or filled with marketing language.
- Sub-processor notice periods shorter than necessary to exercise meaningful objection rights.
- Liability caps that contradict Article 82 GDPR statutory liability.
- Audit clauses limited to certifications without a residual on-site right.
- Cross-border transfers covered only by general references; SCC module not actually executed.

## Quellen Stand 06/2026

- Article 28 GDPR – Regulation (EU) 2016/679.
- Commission Implementing Decision (EU) 2021/914 of 04 June 2021, OJ L 199/31 of 07 June 2021.
- Commission Implementing Decision (EU) 2021/915 of 04 June 2021, OJ L 199/18 of 07 June 2021.
- EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, adopted 07 July 2021.
- Citation rules: `../../../references/zitierweise.md`.