Living guide

GDPR Data Processing Agreement (DPA) requirements by country

Under GDPR Article 28, any business that uses a processor needs a Data Processing Agreement. The mandatory clauses are EU-wide; supervisory-authority expectations vary by country. This page tracks both, updated quarterly.

Last reviewed 11 July 2026 · updated quarterly

CountrySupervisory authority / national noteStatusBasis
DEGermanyFederal BfDI plus 16 Länder authorities; German guidance is notably strict on technical and organisational measures (TOMs). Confirm with the authority for your Land.In forceArt. 28(3) GDPR
FRFranceCNIL is the supervisory authority; it publishes DPA guidance and model processing clauses. Verify against current CNIL guidance.In forceArt. 28(3) GDPR
ESSpainAEPD is the supervisory authority and issues detailed processor guidance. Confirm requirements against the AEPD.In forceArt. 28(3) GDPR
NLNetherlandsAutoriteit Persoonsgegevens (AP) is the supervisory authority. The Article 28 clause set applies; check AP guidance for national emphasis.In forceArt. 28(3) GDPR
IEIrelandThe Data Protection Commission (DPC) supervises many large processors headquartered in Ireland; its enforcement decisions shape processor practice EU-wide.In forceArt. 28(3) GDPR
BEBelgiumThe Belgian Data Protection Authority (APD/GBA) is the supervisory authority. Article 28 clauses apply uniformly; check APD/GBA guidance.In forceArt. 28(3) GDPR
DKDenmarkDatatilsynet is the supervisory authority and has published DPA templates and guidance. Verify against current Datatilsynet guidance.In forceArt. 28(3) GDPR
SESwedenIMY (Integritetsskyddsmyndigheten) is the supervisory authority and an active enforcer in the Nordics. Article 28 clauses apply; check IMY guidance.In forceArt. 28(3) GDPR

Each key date links to the authority it was verified against. Announced dates move — always confirm at source.

FAQ

What must a GDPR DPA contain?
GDPR Article 28(3) requires the DPA to set out the subject-matter, duration, nature and purpose of processing, the type of personal data and categories of data subjects, and the controller's obligations — plus binding clauses on confidentiality, security, sub-processing, assistance, deletion, and audits.
Do I need a different DPA for each EU country?
No — the Article 28 clause requirements are uniform across the EU, so one well-drafted DPA generally works EU-wide. National supervisory authorities differ in guidance and enforcement emphasis, not in the mandatory clauses.
Who enforces the DPA rules in my country?
Your national supervisory authority — the CNIL in France, the BfDI and Länder authorities in Germany, the AEPD in Spain, and so on. The row above links the official register; check your authority's own guidance for national emphasis.
Does miniterms give me legal advice on my DPA?
No. miniterms generates a structured DPA from your inputs as general information, not individualised legal advice. Review it against your supervisory authority's guidance, and consult a professional before relying on it for a specific situation.

Disclaimer

General information compiled from public sources, not individualised legal advice. Confirm requirements with your supervisory authority or counsel before relying on them.