A US founder builds a SaaS product. They hire a contractor in Bengaluru to handle customer-support tickets. The product has European customers. Six months later a data breach happens at the contractor’s end. A European customer files a complaint with the Irish Data Protection Commission. The DPC asks for the controller-processor agreement. The founder does not have one. The contractor is processing personal data of EU residents without a GDPR-compliant DPA. The fine exposure is up to 2 percent of global annual turnover under GDPR Article 83(4).
This is the most common cross-border data-protection failure. It is also the most preventable. This guide walks through when a DPA is required, the terms it must contain under GDPR Article 28 and India’s DPDP Act 2023, the SCC overlay for international transfers, breach notification timelines, and a working DPA shell.
When a DPA is required
GDPR (EU and UK)
Under GDPR Article 28 (https://eur-lex.europa.eu/eli/reg/2016/679/oj):
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller.
The trigger is processing personal data on behalf of the controller. The contract requirement is mandatory, not optional.
The UK GDPR (the post-Brexit version retained under the Data Protection Act 2018) replicates Article 28 with minor wording differences. The UK ICO publishes its own guidance and template (https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/contracts-and-data-sharing/).
India DPDP Act 2023
Under Section 8 of the Digital Personal Data Protection Act 2023:
A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract.
The contract requirement is explicit. Section 8 also imposes general obligations on the data fiduciary regardless of contract: implement reasonable security safeguards (Section 8(5)), notify the Data Protection Board and affected data principals of a breach (Section 8(6)), erase personal data on consent withdrawal or once the purpose is no longer being served (Section 8(7)), and establish a grievance redressal mechanism (Section 8(10)) (https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf).
The DPDP Rules, which fill in implementation detail including breach notification timelines, are being phased in. Where a contractor in India processes personal data on behalf of a global client, both GDPR (if EU residents are involved) and DPDP (because the contractor is in India) apply.
The when-do-I-need-one matrix
| Contractor work | Personal data touched? | DPA required? |
|---|---|---|
| Logo design with synthetic inputs | No | No |
| SEO content with generic topics | No | No |
| Customer support with ticket data | Yes | Yes |
| Engineering with access to user database | Yes | Yes |
| Payroll processing | Yes (employee data) | Yes |
| Marketing analytics using customer behavior data | Yes | Yes |
| Sales contractor with CRM access | Yes | Yes |
| Legal advisor reviewing employee complaints | Yes | Yes (often joint controller, not processor) |
The simplest test: if your contractor logs into any of your systems and sees identifiable user data, you need a DPA.
Required terms in a DPA
GDPR Article 28(3) lists eight required contractual terms. A DPA must require the processor to:
- Process only on documented instructions of the controller, including for transfers
- Ensure persons authorized to process are bound by confidentiality or under a statutory obligation
- Implement appropriate technical and organizational measures under Article 32 (encryption, access controls, resilience)
- Respect sub-processor conditions under Article 28(2) and (4) (prior authorization, flow-down of terms)
- Assist the controller with data subject rights requests under Articles 12-23
- Assist with security obligations under Articles 32-36 (breach, DPIA, prior consultation)
- Return or delete personal data at end of processing unless retention is legally required
- Make available all information necessary to demonstrate compliance and allow audits or inspections
A DPDP-compliant DPA layers in:
- Confirmation that the processor processes data only under the data fiduciary’s authority
- Implementation of reasonable security safeguards proportionate to the data sensitivity
- Cooperation with the data fiduciary’s grievance redressal and erasure obligations under DPDP Section 8
Standard Contractual Clauses for international transfers
A DPA is not enough if personal data crosses from the EU or UK to a non-adequate country.
The EU SCCs
Commission Implementing Decision (EU) 2021/914 of 4 June 2021 created the modern SCCs (https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj/eng). They come in four modules:
- Module 1: Controller to controller
- Module 2: Controller to processor (the contractor case)
- Module 3: Processor to processor
- Module 4: Processor to controller
For a US or EU controller using an Indian processor (contractor), Module 2 applies. The 2021 SCCs include a Schrems II transfer impact assessment requirement: the parties must document the destination country’s laws and the safeguards in place.
The UK SCCs
The UK uses the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs. The UK Addendum is the more common pattern because it lets the parties layer UK-specific terms on top of the EU SCCs without negotiating a full new agreement.
When SCCs are not needed
If the destination country has an EU adequacy decision (UK, Switzerland, South Korea, Japan, and several others as of 2026), SCCs are not required. India does not have an adequacy decision. Most non-EU contractor relationships from the EU need SCCs.
Breach notification timelines
The breach clause is the operationally tightest part of a DPA. Get the timing wrong and the controller misses a regulatory deadline.
GDPR Article 33
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.
The processor obligation is in Article 33(2):
The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
“Without undue delay” is not defined. Best practice for a processor is 24 hours from awareness, giving the controller 48 hours to investigate and notify the supervisory authority within the 72-hour window.
DPDP Section 8(6)
In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed.
The prescribed form and manner come from the DPDP Rules, which were notified in phases through 2025-2026. Plan for a notification obligation in the 24 to 72 hour range, with full incident detail required.
Sample breach clause
Personal Data Breach. Processor shall notify Controller of any actual or reasonably suspected Personal Data Breach without undue delay and in any event within 24 hours of becoming aware. The notification shall include the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach. Processor shall cooperate with Controller in any investigation and any notification to Supervisory Authorities or Data Subjects.
The 24-hour internal window gives the controller 48 hours of buffer before the GDPR 72-hour external deadline.
Sub-processors
Article 28(2) provides:
The processor shall not engage another processor without prior specific or general written authorisation of the controller.
Specific authorization names each sub-processor. General authorization permits sub-processors generally, with a change-notice obligation.
Sample sub-processor clause
Sub-Processors. Controller grants Processor general authorization to engage Sub-Processors listed in Annex C, subject to the conditions in this Clause. Processor shall notify Controller of any intended changes to Sub-Processors (additions or replacements) at least 30 calendar days before the change takes effect. Controller may object to a proposed Sub-Processor within 15 calendar days of notice on reasonable grounds related to data protection. If Controller objects, the parties shall negotiate in good faith. If no resolution is reached within 30 days, Controller may terminate the affected Services without penalty.
This pattern is common across vendor DPAs and gives the controller a real veto without making sub-processor engagement impossible.
DPA shell (working template)
Data Processing Addendum
This Data Processing Addendum (“DPA”) supplements the Services Agreement between Client (“Controller”) and Contractor (“Processor”). It governs Processor’s processing of Personal Data on Controller’s behalf and forms part of the Services Agreement.
1. Definitions. “Personal Data,” “Data Subject,” “Processing,” “Supervisory Authority,” and “Personal Data Breach” have the meanings given in GDPR Article 4. “Applicable Data Protection Law” means GDPR, the UK Data Protection Act 2018, and the Digital Personal Data Protection Act 2023 (India), as applicable.
2. Subject Matter and Duration. Processor processes Personal Data described in Annex A for the duration of the Services Agreement. Categories of Data Subjects, types of Personal Data, and purposes are specified in Annex A.
3. Controller Instructions. Processor shall process Personal Data only on documented instructions from Controller, including transfers to third countries. Processor shall inform Controller if an instruction violates Applicable Data Protection Law.
4. Confidentiality. Processor shall ensure that persons authorized to process Personal Data are bound by confidentiality obligations or under a statutory duty of confidence.
5. Security. Processor shall implement appropriate technical and organizational measures under GDPR Article 32, including those set out in Annex B (encryption at rest, encryption in transit, access controls, logging, vulnerability management, incident response).
6. Sub-Processors. Sub-processors listed in Annex C are authorized. Processor shall notify Controller of intended changes 30 days in advance. Controller may object on reasonable data protection grounds within 15 days. If no resolution is reached within 30 days, Controller may terminate the affected Services.
7. Data Subject Rights. Processor shall, taking into account the nature of processing, assist Controller by appropriate technical and organizational measures in responding to Data Subject requests under GDPR Articles 12-23.
8. Personal Data Breach. Processor shall notify Controller of any actual or reasonably suspected Personal Data Breach without undue delay and in any event within 24 hours of becoming aware. Notification shall include the information required under GDPR Article 33(3). Processor shall cooperate with Controller in any required notification to Supervisory Authorities or Data Subjects.
9. Return or Deletion. Upon termination, Processor shall return all Personal Data to Controller or delete it at Controller’s option, unless retention is required by Union or Member State law.
10. Audit. Processor shall make available to Controller all information necessary to demonstrate compliance and allow audits, including inspections, conducted by Controller or an auditor mandated by Controller. Controller shall give 30 days advance notice unless emergency circumstances justify shorter notice.
11. International Transfers. Where Processor processes Personal Data outside the European Economic Area or the United Kingdom, the parties shall execute the Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914 (Module 2) and any required UK Addendum. Annex D contains the SCC-specific information.
12. India DPDP Compliance. Where Processor is established in India or processes Personal Data of Indian Data Principals, Processor shall comply with the obligations of a Data Processor under the Digital Personal Data Protection Act 2023 and the Rules thereunder.
Annexes A-D fill in the specifics for each engagement. This shell covers the GDPR Article 28 required terms, the DPDP Section 8 layer, and the SCC overlay for international transfers.
How Omnivoo handles DPAs
Omnivoo’s Contract Management product ships a default DPA template aligned with GDPR Article 28, DPDP Section 8, and the 2021 SCCs (Module 2) for EU controller-to-processor transfers. The template auto-attaches when the underlying contractor agreement involves processing of personal data, with annexes for data categories, security measures, sub-processors, and SCC information.
For broader contract structure where the DPA attaches, see drafting a SOW for US companies hiring global contractors. For contractor IP language that interacts with personal data ownership, see contractor IP assignment across US, India, and EU. The full Contract Management product handles the contract lifecycle including DPA execution and tracking.
Drafting checklist
- Is a DPA in place wherever the contractor processes personal data
- Does the DPA cover the eight required terms under GDPR Article 28(3)
- Does it include DPDP Section 8 obligations where India is involved
- Is the breach notification window set to 24 hours from awareness (well inside the 72-hour controller deadline)
- Are sub-processors listed with a 30-day change-notice and objection mechanism
- Are SCCs (Module 2) attached for EU-to-non-adequate-country transfers
- Is there a UK Addendum for UK-to-non-adequate-country transfers
- Are Annexes A-D filled in with engagement-specific data
- Is there an audit clause with reasonable notice
If you remember three things
- A DPA is mandatory whenever a contractor processes personal data on your behalf. GDPR Article 28 and DPDP Section 8 both require it as a written contract.
- The breach notification window in your DPA should be 24 hours from awareness. That gives you time to meet the 72-hour controller deadline under GDPR Article 33.
- SCCs are not optional for EU-to-India transfers. The 2021 SCCs (Module 2) plus a transfer impact assessment are the working pattern.
Data protection is the area where the cost of being wrong has climbed fastest. GDPR fines hit four percent of global annual turnover at the top tier. DPDP penalties under Schedule 1 reach INR 250 crores. A clean DPA at signing is the cheapest insurance you will buy. Skip it and the regulatory tail will find you.