GDPR Article 28-01: Processor Contracts & Data Processing Agreements
Data processors must operate under legally binding contracts that clearly define the scope, duration, nature, and purpose of processing activities. Without enforceable processor agreements, your organisation risks substantial GDPR fines and loses contractual recourse if a processor fails to meet data protection obligations. This control ensures every third-party processor handling personal data is bound by terms that mandate appropriate safeguards.
What this means
GDPR Article 28 requires that any organisation engaging a data processor must establish a binding contract or legal act governing the processing relationship. This agreement must specify: the subject-matter and duration of processing, the nature and purpose of processing, the type of personal data, categories of data subjects, and obligations and rights of the controller. The contract must also ensure the processor implements sufficient technical and organisational measures to meet GDPR requirements, including data security, confidentiality, integrity controls, and incident response procedures.
How to comply
- 1.Identify all third-party processors that access, store, or handle personal data across your organisation
- 2.Develop or obtain Data Processing Agreements (DPAs) that include mandatory GDPR Article 28 clauses covering processing scope, duration, nature, and purpose
- 3.Ensure contracts specify the processor's obligations to implement appropriate technical and organisational security measures
- 4.Include provisions for sub-processor management, audit rights, data subject rights assistance, and data return or deletion upon termination
- 5.Document the processor's technical and organisational capabilities before engagement (security certifications, ISO 27001, SOC 2, etc.)
- 6.Maintain a register of all active processors and their corresponding signed Data Processing Agreements
- 7.Review and update processor contracts annually or when processing scope changes
- 8.Establish a process to notify processors of new data protection requirements and verify compliance updates
Evidence auditors look for
- Signed Data Processing Agreements with all cloud providers, SaaS vendors, and third-party service providers
- Documented processor assessment records showing evaluation of technical and organisational measures before engagement
- Processor register listing all active processors, processing scope, and contract effective dates
- DPA templates that include mandatory GDPR Article 28 clauses and Standard Contractual Clauses (SCCs) for international transfers
- Annual processor compliance reviews and audit reports verifying ongoing security controls
- Sub-processor notification and management logs showing oversight of downstream processors
- Processor contract amendments documenting scope changes and updated security obligations
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates processor contract tracking and DPA lifecycle management, flagging unsigned agreements, expiration dates, and compliance gaps so you maintain enforceable processor relationships without manual tracking.
See how GRCWatch handles this control automatically
Start free trial