Is a DPA needed with my tax advisor?

No. BayLDA 2024 clarified: Tax advisors are independent controllers, not processors. No DPA under Art. 28.

Is the standard provider DPA sufficient?

Often yes, but check: third-country transfer clauses, sub-processor list, data return after contract end, right-to-audit. Adjustments under Art. 28 are permissible.

DPA with Microsoft 365 — what must be in it?

MS standard DPA is not enough. Mandatory adjustments: EU Data Boundary activated, DPF guarantee for US sub-processors, telemetry configuration, Copilot tenant isolation.

Must all sub-processors approve?

Art. 28(2): Processor may only engage sub-processors with prior approval. Practice: General approval in DPA with right to object.

Who is liable for DPA breaches?

Primarily controller (external relationship). Processor liable for own breaches — internal compensation via DPA. ECJ C-340/21: immaterial damages also for fear-of-damage.

What does a professional DPA cost?

Lawyer fees: 800-3,000 EUR per DPA. Adjusting standard template: 200-800 EUR. Compliance-Kit GDPR Kit: 490-1,490 EUR once with template + assessment questionnaire.

DPA Template 2026: What Must Be Included, What Must Not (Art. 28 GDPR)

Published: 26 April 2026 · Last updated: 02 May 2026 · Category: GDPR

Practitioner note: This article is practice-oriented compliance documentation, not legal advice. We are compliance specialists, not a law firm. For legally binding advice, please consult a qualified attorney.

TL;DR

A DPA is mandatory for every processing on behalf — under Art. 28 (3) GDPR
8 mandatory contents: subject matter, duration, purpose, data types, obligations, confidentiality, sub-processing, TOMs
BayLDA 2024: Tax advisors are not processors — no DPA required
Schrems II / DPF annex mandatory for US sub-processors
Right-to-audit should be explicitly anchored

1. What is a DPA?

A Data Processing Agreement (DPA) is, under Art. 28 (3) GDPR, a mandatory contract between the controller and the processor. It governs the processing of personal data on behalf.

"Processing by a processor shall be governed by a contract or other legal act..." — Art. 28 (3) GDPR

If you do not want to draft the full set of documents from scratch, the GDPR Kit provides a DPA template contract, processor assessment questionnaire and processor inventory Excel.

2. When is a DPA required?

A DPA is required when three criteria converge:

An external party processes
personal data for you
on your instructions (no own processing interest)

Typical processor scenarios:

IT hosting (AWS, Azure, GCP, Hetzner)
Cloud software (Microsoft 365, Salesforce, HubSpot)
Newsletter tools (Mailchimp, Brevo, CleverReach)
Payroll service providers (often, not always)
IT maintenance providers with data access
Backup providers
SOC / external IT security

3. 8 mandatory contents under Art. 28 (3) GDPR

Mandatory content	Example
1. Subject matter + duration	"Hosting of the M365 tenant for Mustermann GmbH, contract duration 36 months"
2. Nature and purpose	"Storage of emails, documents, calendar data for business communication"
3. Data types + categories of data subjects	"Master data of employees, customer communication, sporadically Art. 9 data (cases of illness)"
4. Obligations + rights of the controller	Right to issue instructions, right-to-audit, notification of incidents
5. Confidentiality (lit. b)	Processor's employees sign confidentiality declaration
6. Sub-processing (lit. d)	List in advance + approval/objection procedure
7. Assistance with data subject rights (lit. e)	Responses to data subjects within 14 days
8. TOMs (lit. c) + audit (lit. h)	TOM annex + annual right to audit

4. 6 typical DPA mistakes

Generic 'template contract from the internet': does not cover your specific processing activities
Missing sub-processor list: Microsoft has ~80 sub-processors — all must be listed
Third-country transfer without SCC/DPF annex: mandatory for US tools (Mailchimp, Zoom, Salesforce)
Right-to-audit missing or ineffective ('with 6 months' advance notice')
Data return after contract termination not regulated
Version management: old DPA version from 2018 still in use despite new SCC 2021/914

5. Schrems II / DPF annex

For US processors or sub-processors in third countries: mandatory annex with:

Standard Contractual Clauses (SCC 2021/914) OR
DPF certification proof (for DPF-certified US companies)
Transfer Impact Assessment (TIA)
Additional technical measures (encryption, pseudonymisation)

6. BayLDA: What is not a DPA

Profession	Processor or independent controller?
Tax advisor	Independent controller (BayLDA 2024) — NO DPA
Auditor	Independent controller
Attorney	Independent controller (professional confidentiality)
Payroll accountant (external)	Generally processor — DPA required
Cloud hosting	Processor — DPA required
Mailing service provider (letter, parcel)	Independent controller

7. DPA checklist before signing

All 8 mandatory contents included?
Sub-processor list available + objection procedure regulated?
TOM annex specific (not just "appropriate TOMs")?
Third-country annex (SCC/DPF) for US sub-processors?
Right-to-audit contractually anchored?
Data return + deletion after contract termination regulated?
Version date + validity documented?
Both sides signed (digital signatures accepted)?

Sources

Regulation (EU) 2016/679 (GDPR) — Art. 28 processor agreement (As of: 2026-05-02)
Commission Decision (EU) 2023/1795 — EU-US Data Privacy Framework (As of: 2026-05-02)
CJEU C-340/21 — Art. 82 GDPR damages (As of: 2026-05-02)