Artifact GuideEU GDPR

GDPR Article 28 Processor contracts and vendor management

Build processor due diligence around Article 28: role classification, required contract clauses, sub-processor approval, audit rights, return or deletion, and evidence that the vendor can meet the controller's instructions.

Use SCC transfer clauses only when the processing chain includes a Chapter V transfer, and keep that transfer record tied to the same vendor and sub-processor inventory.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Article 28 vendor management is not a procurement checklist with privacy language attached. For each service that processes personal data on behalf of a controller, the record should show why the supplier is a processor or sub-processor, which processing instructions apply, which Article 28 clauses govern the work, what evidence demonstrates sufficient guarantees, and whether any onward transfer needs Chapter V safeguards.

Section 1

Classify the vendor role before reviewing the contract

Start with the processing activity, not the supplier name. A service provider is a processor only for processing it performs on behalf of the controller and under the controller's documented instructions. If the supplier determines its own purposes and essential means for a separate activity, treat that activity as controller-to-controller or joint-controller analysis instead of forcing it into an Article 28 processor contract.

The contract label is evidence, but it is not enough. The role record should identify the processing purpose, the data categories, the data-subject categories, who decides the purpose, who sets the essential means, and which decisions are left to the vendor as non-essential implementation choices.

  • Separate each vendor service into processing activities; one vendor can have processor and independent-controller roles for different activities.
  • Record the controller's documented instructions and the vendor activities that are outside those instructions.
  • Escalate any vendor use of personal data for its own analytics, product improvement, marketing, or unrelated service purposes before signing processor terms.
  • If a processor determines purposes and means for the processing, record that Article 28 treats it as a controller for that processing.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 28 requires processors to act on documented instructions and treats a processor that determines purposes and means as a controller for that processing.
Section 2

Turn Article 28 into contract clauses that can be checked

A processor contract or other binding legal act must set out the subject matter and duration of the processing, nature and purpose, personal-data types, data-subject categories, and the controller's obligations and rights. Those details should be populated for the actual service, not copied as empty GDPR recital language.

The operational clauses should cover documented instructions, confidentiality for authorised personnel, Article 32 security measures, sub-processor conditions, assistance with data-subject rights, assistance with Articles 32 to 36 obligations, deletion or return at the end of services, and audit or inspection support.

  • Attach a processing appendix that names the service, systems, data flows, categories of personal data, categories of data subjects, processing duration, and retention or deletion endpoint.
  • Keep the instruction mechanism explicit: who may issue instructions, accepted formats, change approval, emergency instructions, and how refused or unlawful instructions are handled.
  • Translate security from generic assurances into the measures or security objectives the processor must implement and the evidence the controller can review.
  • Include a termination workflow for return or deletion of personal data and existing copies unless Union or Member State law requires storage.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 28(3) lists the required processor-contract content, including instructions, confidentiality, security, assistance, deletion or return, and audits.
Commission Implementing Decision (EU) 2021/915
The Commission controller-processor standard clauses provide a structured Article 28 clause set for instructions, purpose limitation, security, audits, sub-processors, international transfers, assistance, breach support, and termination.
Section 3

Collect vendor evidence for sufficient guarantees

Article 28 requires the controller to use only processors that provide sufficient guarantees to implement appropriate technical and organisational measures. Vendor evidence should therefore prove the processor can perform the instructed processing in a way that meets GDPR requirements and protects data-subject rights.

Evidence should be tied to the exact processing activity. A generic security certificate, standard policy, or marketing claim can support the record, but it should not replace evidence of the service configuration, processor obligations, sub-processor chain, audit pathway, and incident cooperation that apply to the controller's data.

  • Save the signed processor terms or Article 28 clause annex, the completed processing description, and the current instruction record.
  • Keep security evidence that maps to the processing risk, such as technical and organisational measures, access controls, encryption or segregation design, audit reports, certifications, and remediation status.
  • Maintain evidence of confidentiality commitments for authorised personnel and access limited to what is needed for the contracted processing.
  • Retain processor responses on data-subject-request support, breach notification support, DPIA or prior-consultation assistance where relevant, deletion or return, and audit cooperation.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 28(1) requires sufficient guarantees, and Article 28(3)(h) requires information necessary to demonstrate compliance and allow or contribute to audits.
Commission Implementing Decision (EU) 2021/915
The controller-processor standard clauses include documentation, audit, security-measure annex, assistance, and breach-support structures that can be reused as evidence fields.
Section 4

Control sub-processors and processor-chain changes

A processor may not engage another processor without the controller's prior specific or general written authorisation. If general authorisation is used, the processor must inform the controller of intended additions or replacements so the controller can object before the change takes effect.

Sub-processor management should be an active inventory, not a one-time list at signature. The record should show each sub-processor's processing activity, location or transfer relevance, approval status, notice date, objection window, contract flow-down, and whether the initial processor remains accountable for the sub-processor's performance.

  • Choose and document the approval model: specific written authorisation for named sub-processors or general written authorisation with a change-notice and objection process.
  • Require the processor to impose, by contract or other legal act, the same data-protection obligations on sub-processors for the relevant processing.
  • Keep copies or review evidence of sub-processor terms where available, with redactions limited to confidential information that does not hide privacy obligations.
  • Block onboarding when a new sub-processor changes the processing purpose, data categories, security posture, transfer route, or assistance commitments beyond the approved instructions.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 28(2) and 28(4) set the written authorisation, change-notice, objection, flow-down, and initial-processor-liability rules for sub-processors.
Commission Implementing Decision (EU) 2021/915
Clause 7.7 of the controller-processor standard clauses provides specific and general authorisation options and a sub-processor annex model.
Section 5

Add SCC transfer clauses only where the vendor chain creates a Chapter V transfer

A processor contract is not automatically an international-transfer mechanism. If the processor or a sub-processor transfers personal data to a third country or international organisation, the controller should connect the Article 28 instructions to the Chapter V transfer tool used for that transfer.

Where SCCs are used for a transfer, keep the selected module, parties, data categories, transfer description, onward-transfer controls, and supplementary safeguards with the vendor record. The transfer clauses can sit inside a wider vendor agreement, but they should not contradict the SCCs or weaken data-subject protections.

Does every vendor need a GDPR processor contract?

No. Article 28 applies when a separate vendor processes personal data on behalf of the controller. If the vendor determines its own purposes and essential means for a separate processing activity, the team should assess controller or joint-controller roles instead of using processor terms as a shortcut.

What evidence should a controller keep for a GDPR processor?

Keep the signed Article 28 terms, completed processing description, documented instructions, security-measure evidence, confidentiality and access evidence, sub-processor approvals, audit or review evidence, assistance commitments, breach-support process, and return-or-deletion record.

When do SCCs belong in the vendor file?

SCCs belong in the vendor file when the vendor or an approved sub-processor creates a Chapter V transfer and SCCs are the selected transfer safeguard. The SCC record should identify the transfer route, parties, module, data categories, onward-transfer limits, and any supplementary safeguards.

  • Mark whether the vendor processing stays inside the EEA, uses an adequacy route, or relies on Article 46 safeguards such as Commission SCCs.
  • For processor or sub-processor transfers, check that the Article 28 instructions permit the transfer and that the SCC parties and modules match the actual exporter/importer roles.
  • Keep transfer evidence aligned with the sub-processor inventory so onward processing does not happen outside the approved chain.
  • Do not use SCC language as a substitute for the Article 28 processor clauses; the two controls answer different questions unless the Commission clauses expressly cover both.
Sources for this answer
Commission Implementing Decision (EU) 2021/914
The Commission transfer SCC decision explains that SCCs provide Article 46 safeguards for third-country transfers and use modules for different controller and processor role combinations.
European Commission - Standard Contractual Clauses
The Commission SCC page describes modernised SCCs for transfers from controllers or processors in the EU/EEA, or otherwise subject to the GDPR, to controllers or processors outside the EU/EEA and not subject to the GDPR.
Regulation (EU) 2016/679 (GDPR)
Article 28(3)(a) requires documented instructions for transfers, and Chapter V governs transfers to third countries or international organisations.
Recommended next step

Review Article 28 clauses, sub-processors, and SCC transfer records together

Sorena can help convert vendor questionnaires, processor terms, SCCs, and sub-processor notices into a cited Article 28 evidence record for privacy, legal, security, and procurement teams.

Research workflow
Open Research Copilot for EU GDPR

Ask source-linked questions about Article 28 clauses, controller-processor roles, sub-processors, vendor evidence, and SCC transfer records using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through implementation

Review your processor contract inventory, vendor evidence gaps, and international-transfer clauses with Sorena.

Explore next step
Primary sources

References and citations

Commission Implementing Decision (EU) 2021/914
eur-lex.europa.eu
Referenced sections
  • The Commission transfer SCC decision explains that SCCs provide Article 46 safeguards for third-country transfers and use modules for different controller and processor role combinations.
"modular approach"
Commission Implementing Decision (EU) 2021/915
eur-lex.europa.eu
Referenced sections
  • Clause 7.7 of the controller-processor standard clauses provides specific and general authorisation options and a sub-processor annex model.
"Use of sub-processors"
European Commission - Standard Contractual Clauses
commission.europa.eu
Referenced sections
  • The Commission SCC page describes modernised SCCs for transfers from controllers or processors in the EU/EEA, or otherwise subject to the GDPR, to controllers or processors outside the EU/EEA and not subject to the GDPR.
"Standard Contractual Clauses"
Regulation (EU) 2016/679 (GDPR)
eur-lex.europa.eu
Referenced sections
  • Article 28(3)(a) requires documented instructions for transfers, and Chapter V governs transfers to third countries or international organisations.
"transfers of personal data"
Related guides

Explore more topics

Does the EU GDPR apply outside the EU under Article 3?
A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
EU GDPR Applicability Test for Products, Vendors, and Data Flows
A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
EU GDPR Article 30 RoPA Intake Workflow
Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
EU GDPR Article 6 Legal Bases FAQ
FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence
source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow
Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records
A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers
Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
EU GDPR Children and Special-Category Data Guide
source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers
Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
EU GDPR Controller, Processor, and Joint Controller Roles
source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
EU GDPR Data Subject Rights and DSAR Workflow
source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
EU GDPR deadlines and compliance calendar
source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
EU GDPR DPIA and Prior Consultation Workflow
Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
EU GDPR DPIA and risk management under Articles 35 and 36
EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
EU GDPR DSAR Exceptions: refusal, extensions, identity checks
FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence
Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers
Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
EU GDPR International Transfers and SCCs: Chapter V evidence guide
source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
EU GDPR Lawful Basis and Consent Guide
Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)
Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
EU GDPR Lead Supervisory Authority and One-Stop-Shop
How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
EU GDPR LIA Template for Article 6(1)(f)
Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
EU GDPR penalties and fines: Article 83 tiers and evidence
EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields
Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers
Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
EU GDPR Retention and Erasure Schedule
Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
EU GDPR SCC Transfer Impact Assessment FAQ
source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
EU GDPR Transfer TIA and SCC Workflow
A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
EU GDPR Transparency Notices: Articles 12, 13 and 14
Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps
Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
EU GDPR vs California CCPA: grounded GDPR comparison limits
Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications
Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
EU GDPR vs UK GDPR: source-limited compliance comparison
Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
GDPR processor vs controller: role boundaries and evidence
Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
GDPR vs EU AI Act: privacy controls for AI systems
Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
GDPR vs EU Data Act: personal data safeguards and source limits
Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
When does the EU GDPR require a DPIA?
Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
When does the GDPR 72-hour breach notification clock start?
GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.