What are DPA clauses that must exist between sender and ESP?

GDPR Article 28 specifies mandatory elements for Data Processing Agreements. The DPA must define: the subject matter and duration of processing (what data, for what purpose, how long); the nature and purpose of processing (sending emails, tracking engagement, managing subscriptions); the types of personal data and categories of data subjects (email addresses, names, engagement data for your subscribers); and your obligations and rights as controller. These definitional clauses establish the scope and boundaries of the processing relationship.

The DPA must include specific processor obligations: processing only on your documented instructions; ensuring personnel are bound by confidentiality; implementing appropriate technical and organizational security measures; not engaging sub-processors without your authorization (and ensuring sub-processors are bound by equivalent obligations); assisting you with data subject requests and other compliance obligations; notifying you of data breaches without undue delay; deleting or returning data upon contract termination; and making available information necessary to demonstrate compliance, including allowing audits.

Beyond mandatory GDPR elements, well-drafted DPAs often include practical operational clauses: specific security standards or certifications the processor must maintain; breach notification timeframes (often faster than GDPR's "without undue delay"); liability allocation and indemnification terms; specifics about data location and cross-border transfers; service level agreements related to compliance functions; and procedures for handling regulatory inquiries or enforcement actions. Review your ESP's standard DPA carefully-most major providers offer compliant templates, but you should verify coverage and negotiate enhanced terms if your risk profile requires it. The DPA is the legal foundation of your processor relationship. It umust cover what GDPR requires and address the practical realities of your specific processing activities.