Skip to main content
GDPR Guide — Article 28 Requirements

Data Processing Agreement Requirements Under GDPR: What You Must Include (and What Most Organizations Get Wrong)

Managing DPAs across dozens of processors and multiple group entities? One missing clause can trigger fines up to €10 million under Article 83(4). Here's exactly what Article 28 requires — and a free checklist to audit every agreement you have.

Download the Free DPA Compliance Checklist

PDF. No credit card. Used by privacy teams managing 50+ processor relationships.

Trusted by privacy teams across 15+ countries in pharma, financial services, manufacturing, and technology

PILATUS AIRCRAFT OPEN MEDICAL ZURZACH CARE AXA TRAPEZE
Trusted by 50+ privacy teams across 14 countries
Healthcare
Aviation
Energy
Legal
Technology
Zurzach logo
AXA logo
Open Medical logo
Glencore logo
Pilatus logo
Liferay logo
CareerFairy logo
Voicepoint logo
Kellerhals Carrard logo
Aclaris logo
Avantec logo
Diakonie Bethanien logo
Liferay logo
CareerFairy logo
Zurzach logo
Voicepoint logo
Open Medical logo
Kellerhals Carrard logo
AXA logo
Aclaris logo
Avantec logo
Diakonie Bethanien logo
Why DPA Management Breaks Down

Why Most Data Processing Agreements Fail a GDPR Audit

A DPO inherits 80+ processor agreements. Some drafted by procurement, some by external counsel years ago, some the processor's own template accepted without redlining. An audit reveals systemic gaps — not because anyone was careless, but because the problem is structural.

37%

of audited DPAs missing mandatory sub-processor notification clauses — based on EDPB enforcement trend analysis

Volume That Overwhelms Manual Review

Mid-market and enterprise organizations manage dozens to hundreds of processor agreements. Each one needs individual review against Article 28 requirements. When you're tracking DPAs in spreadsheets across multiple business units, gaps aren't a risk — they're a certainty.

Result: Aircraft manufacturer reduced compliance admin time by 60% in their first 6 months by replacing manual tracking with automated vendor and agreement oversight.

Aircraft manufacturer — first 6 months post-implementation

50%+

of DPAs use vague processing descriptions like "as necessary to provide the service" — common finding in supervisory authority audits

Multi-Entity Complexity Creates Blind Spots

Different subsidiaries may act as controllers or processors depending on the data flow, creating a matrix of agreements that no single person can hold in their head. A DPA that satisfies the Hamburg DPA may not satisfy the CNIL's specific expectations. Without group-wide visibility, you're managing compliance in fragments.

Result: Zurzach Care achieved 100% vendor risk assessment coverage across their entire organization — eliminating the blind spots that come with decentralized agreement management.

Zurzach Care — full vendor coverage post-implementation

0%

recertification rate — the typical state of DPA review cycles in organizations relying on manual processes

Recertification Decay Erodes Compliance Over Time

DPAs are signed and filed away. Processing activities evolve — new sub-processors are added, data categories change, transfer mechanisms expire — but the agreements collecting dust in SharePoint don't. Post-Schrems II, almost no legacy DPAs include transfer impact assessment obligations. This isn't negligence. It's the natural consequence of managing living documents with static tools.

Result: AXA went from ad-hoc reviews to a 100% ROPA recertification rate with fully automated workflows — ensuring agreements always reflect actual processing activities.

AXA — 100% recertification rate, fully automated

200+

Hours saved on ROPA management

Medtec saved 200+ hours preparing for ISO 27001 certification — time previously spent on manual documentation and audit prep across their privacy program.

60%

Lower cost vs. legacy platforms

Aircraft manufacturer cut compliance admin time by 60% in their first 6 months — with predictable pricing based on entity count, not per-user expansion traps.

3 mo

Ahead of schedule on ISO 27001

Medtec reached audit-readiness three months ahead of their planned timeline using Priverion's integrated evidence packages and automated documentation workflows.

See how these numbers happen — book a 30-min walkthrough
Priverion vs. OneTrust

Why mid-market companies are making the switch

OneTrust serves Fortune 500 organizations with broader GRC scope and dedicated privacy teams. Priverion was built for organizations that need enterprise-grade compliance without the enterprise overhead.

The enterprise incumbent

What mid-market teams tell us about OneTrust

  • Per-module pricing adds up fast.

    What starts as a ROPA tool becomes a six-figure contract once you add DSR handling, vendor management, and incident workflows. Per-user fees multiply across subsidiaries.

  • US-hosted data raises transfer questions.

    In a post-Schrems II world, hosting compliance data on US infrastructure creates the very cross-border transfer risk you're trying to manage. European hosting options come with additional complexity.

  • Built for the Fortune 500, not the Mittelstand.

    Feature depth is impressive — but most mid-market DPOs use 20% of the platform and spend months in implementation. Complexity becomes a cost in itself.

  • 200+ integrations — but how many do you use?

    A broad connector library sounds great in a demo. In practice, shallow integrations create maintenance overhead and data sync issues that fall on already-stretched compliance teams.

  • ESG, ethics hotlines, cookie consent bundled in.

    If you need a GRC mega-platform that covers everything from ESG to whistleblower management, OneTrust is a legitimate choice. But if your mandate is privacy program management, you're paying for modules you'll never open.

Built for group-wide privacy

What makes Priverion different

  • Predictable pricing, no expansion traps.

    Pricing based on number of entities and organizational size — not per-user or per-module. Add team members across subsidiaries without watching costs multiply. Every capability included from day one.

  • Guaranteed Swiss data sovereignty.

    Swiss-built and Swiss-hosted. All data processing within Swiss infrastructure. European data residency is not a premium add-on — it's our architecture. Your compliance data never crosses an Atlantic cable.

  • Operational in weeks, not months.

    A focused platform means faster onboarding. Aircraft manufacturer achieved a 60% reduction in compliance admin time within the first 6 months — including full deployment across subsidiaries.

    Based on Aircraft manufacturer customer results, first 6 months of deployment

  • Deep integrations where they matter.

    We integrate deeply with HR, procurement, and IT asset management systems — the workflows that actually drive privacy compliance. No shallow connectors that break during updates.

  • All-in-one privacy program management.

    ROPA, DPIA/TIA, vendor risk, incident management, DSR handling, AI Act readiness, cross-entity data mapping, and compliance dashboards — in a single platform. We don't cover ESG or cookie consent because that's not our mandate. Privacy is.

Honest note: If you're a single-entity company or need a full GRC suite covering ESG, ethics hotlines, and cookie consent, we're probably not the right fit. Our strength is group-wide privacy program management for organizations with multiple entities and jurisdictions.

Book a 30-min walkthrough
Free Checklist

GDPR Data Processing Agreement Requirements Checklist

Stop second-guessing whether your DPAs actually meet Article 28. This checklist walks you through every mandatory clause — so you can review vendor agreements in minutes, not hours.

What's inside:

  • All 12 mandatory elements under GDPR Article 28(3), broken into plain-language requirements you can verify against any vendor contract
  • Sub-processor obligation checklist — the clauses most organizations miss that create the biggest audit exposure
  • Cross-border transfer requirements tied to each DPA clause, including SCC integration points post-Schrems II
  • Red-flag indicators that signal a vendor's DPA is boilerplate — and the specific language to negotiate instead

Free PDF. No demo required. We'll send it to your inbox. See our data protection notice.

Stop managing compliance in spreadsheets

Your group-wide privacy program deserves 30 minutes of clarity

See how organizations like Aircraft manufacturer cut compliance admin time by 60% in six months — with automated ROPA recertification, AI-assisted DPIAs, and cross-entity visibility across every subsidiary. All built and hosted in Switzerland.

Weeks, not months

Time to go live

No per-user fees

Predictable pricing by entity count

100% Swiss-hosted

European data residency guaranteed

Book a 30-minute walkthrough

No sales pitch. A live walkthrough tailored to your group structure and compliance priorities.

The Privacy Compliance Briefing

Monthly insights on GDPR enforcement, Swiss FADP updates, and automation strategies for DPOs and compliance teams.

No spam. Unsubscribe anytime.

Your trusted partner for a smarter, more efficient approach to data privacy management.
Product
Priverion Platform System Status
about us
About Priverion Careers
© 2024 Priverion
Imprint Privacy Notice Terms of Service Refund Policy
OneTrust, TrustArc, Drata, Vanta, BigID, DataGuard, Kertos, Securiti and Sprinto are trademarks of their respective owners. Priverion Solutions AG is an independent Swiss company and is not affiliated with, sponsored by, or endorsed by any of these companies. References to these products are made under the fair-use exception for comparative advertising (Swiss UWG Arts. 3(1)(a)(b)(e); EU Directive 2006/114/EC Art. 4) for the sole purpose of informing prospective customers. Methodology and sources for comparative claims are disclosed on each page that contains them; see also our comparative advertising policy. To challenge a specific claim, write to [email protected].