What you need to know.
Article 28 GDPR requires a controller and a processor (see GDPR Toolkit 09) to enter into a data processing agreement. Companies can only rely on processors who offer sufficient guarantees to implement appropriate technical and organisational measures so as to ensure that the processing complies with the GDPR. These measures must be contained in an agreement.
The GDPR does not define the specific form in which the agreement must be concluded, it simply has to be a legally binding document (under national law). Processors selling products to thousands of customers will often work with unilaterally imposed conditions that they make available through their website.
It is important to keep in mind that there may also exist a controller / processor relationship between the different entities within a group of companies. In that context as well, the necessary agreements must be concluded in accordance with Article 28 GDPR.