UK GDPR Article 28 requires a written DPA between any controller and processor. Without one, both parties risk regulatory action. The DPA must specify the subject-matter, duration, nature, and purpose of processing.

• Mandatory under UK GDPR Article 28 — no DPA = breach
• Processor may only process on documented instructions
• Sub-processors require controller authorisation
• Processor must assist with DSARs, DPIAs, and breach notification
• ICO can fine up to £17.5m or 4% global turnover

Legal reference: UK GDPR Article 28; Data Protection Act 2018