Fatskills
Practice. Master. Repeat.
Study Guide: Certified Information Privacy Professional (CIPP): EU Processor Obligations and Data Processing Agreements Art 28
Source: https://www.fatskills.com/data-privacy-laws-and-regulations/chapter/cipp-cipp-eu-processor-obligations-and-data-processing-agreements-art-28

Certified Information Privacy Professional (CIPP): EU Processor Obligations and Data Processing Agreements Art 28

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~5 min read

CIPP/E – Processor Obligations & Data Processing Agreements (Art. 28 GDPR)


What This Is

Art. 28 of the GDPR sets out the duties a processor must fulfil when handling personal data on behalf of a controller. The cornerstone is the Data Processing Agreement (DPA) – a written contract that spells out the scope, security, sub‑processing, and accountability rules. Without a compliant DPA, any EU‑personal‑data transfer (e.g., a German‑based SaaS provider sending employee payroll data to a U.S. payroll‑service) is illegal and can trigger €20 million or 4 % of global turnover fines.


Key Terms & Provisions

  • Processor: The natural or legal person that processes personal data on behalf of the controller (GDPR, Art. 4(8)). Example: A cloud‑hosting company storing a retailer’s customer database.
  • Controller: The entity that determines the purposes and means of processing (GDPR, Art. 4(7)). Example: The retailer that decides which data to collect and why.
  • Data Processing Agreement (DPA): A written contract (or equivalent) required by Art. 28(3) that sets out the processor’s obligations, the controller’s instructions, and the technical‑organizational measures (TOMs).
  • Written Form (including electronic): “Written” under Art. 28 includes e‑mail, PDF, or any durable electronic format that can be reproduced (GDPR Recital 82).
  • Sub‑processor: Any third‑party engaged by the processor to carry out part of the processing. The processor must obtain prior written authorisation from the controller (Art. 28(2)(b)).
  • Technical & Organizational Measures (TOMs): Security safeguards (encryption, access controls, incident response) that must be appropriate to the risk (Art. 28(3)(c) & Art. 32).
  • Controller‑Directed Instructions: The processor may only act on documented instructions from the controller (Art. 28(3)(a)). Verbal orders are insufficient for compliance audits.
  • Return or Deletion of Data: Upon contract termination, the processor must return or securely delete all personal data (Art. 28(3)(g)).
  • Audit & Inspection Rights: The controller may audit the processor’s compliance (e.g., on‑site inspections, third‑party certifications) (Art. 28(3)(h)).
  • Liability & Indemnity: The processor is jointly liable with the controller for breaches caused by its non‑compliance (Art. 82 GDPR).
  • Cross‑Border Transfer Clause: If the processor transfers data outside the EEA, the DPA must embed a valid transfer mechanism (e.g., SCCs, BCRs) (Art. 28(9)).
  • Record‑Keeping (Art. 30): Processors must maintain a record of processing activities (ROPA) that includes categories of data, sub‑processors, and security measures.


Step‑by‑Step / Process Flow

  1. Identify the Relationship – Confirm that the third‑party is a processor (acts on your instructions) and not a joint controller.
  2. Draft / Review the DPA – Ensure it contains all Art. 28 mandatory clauses (purpose, duration, TOMs, sub‑processor consent, audit rights, data return/deletion).
  3. Conduct a Risk‑Based Security Review – Map the data flow, assess risks, and verify that the processor’s TOMs meet the risk‑based approach (Art. 32).
  4. Obtain Controller Approval for Sub‑processors – Document any sub‑processor list; get written consent before they start processing.
  5. Implement Ongoing Monitoring – Schedule periodic audits, request SOC‑2/ISO‑27001 reports, and monitor breach notifications per Art. 33/34.
  6. Terminate & Securely Delete – When the contract ends, verify that the processor has either returned the data or performed a certified deletion, and obtain a deletion certificate.

Common Mistakes

  • Mistake: Using a generic “terms of service” instead of a formal DPA.
    Correction: A DPA must be a stand‑alone contract (or annex) that meets Art. 28’s specific clauses; a TOS does not satisfy the legal requirement.

  • Mistake: Assuming verbal instructions are sufficient because the processor “knows what to do.”
    Correction: All instructions must be documented in writing; auditors will look for the exact wording to confirm compliance.

  • Mistake: Forgetting to audit sub‑processors after the controller’s approval.
    Correction: Controllers retain the right to audit any sub‑processor; maintain a log of audit outcomes and remedial actions.

  • Mistake: Over‑looking the data return/deletion clause, leading to leftover copies after the contract ends.
    Correction: Include a clear deletion certificate requirement and verify it before closing the engagement.

  • Mistake: Treating a cloud provider as a “mere host” and omitting a DPA.
    Correction: Even pure storage services are processors if they store personal data on your behalf; a DPA is mandatory.


CIPP Exam Insights

  1. Controller vs. Processor Obligations – Exams love to ask which party must conduct a DPIA. Answer: The controller (unless the processor decides the means, which is rare).
  2. Art. 28 Sub‑processor Consent – Remember that prior written authorisation is required; a “notice‑only” clause is not enough.
  3. Written Form Requirement – The exam may present an e‑mail DPA and ask if it satisfies Art. 28. Correct: Yes, electronic formats count as “written.”
  4. Cross‑Border Transfer Link – Art. 28(9) ties the DPA to the transfer mechanism. If the processor uses SCCs, the DPA must reference them; otherwise the transfer is invalid.

Quick Check Questions

  1. Scenario: A French e‑commerce site contracts a U.S. email‑marketing firm to send newsletters to EU customers. The contract only contains a “service level agreement.”
    Answer: Non‑compliant – a proper DPA with Art. 28 clauses (purpose, TOMs, sub‑processor consent, audit rights) is required.

  2. Scenario: The controller discovers the processor has engaged a new analytics sub‑processor without prior approval.
    Answer: The controller can suspend the processing and demand remedial action because Art. 28(2)(b) mandates prior written consent for any sub‑processor.

  3. Scenario: After a three‑year contract ends, the processor deletes the data but does not provide a deletion certificate.
    Answer: The controller should request a deletion certificate; without it, the processor may be in breach of Art. 28(3)(g).


Last‑Minute Cram Sheet (10 One‑Liners)

  1. Art. 28(3) – Mandatory DPA clauses – purpose, duration, TOMs, sub‑processor consent, audit, deletion.
  2. ⚠️ “Written” includes e‑mail, PDF, or any durable electronic format (Recital 82).
  3. Sub‑processor = prior written authorisation (Art. 28(2)(b)).
  4. Processor liability = joint & several with controller (Art. 82).
  5. Cross‑border transfer clause = must reference SCCs/BCRs (Art. 28(9)).
  6. TOMs must be “appropriate to the risk” – risk‑based, not one‑size‑fits‑all (Art. 32).
  7. Controller‑directed instructions must be documented – verbal orders are insufficient.
  8. ROPA requirement for processors – record of processing activities (Art. 30).
  9. Termination clause = return or delete data + deletion certificate (Art. 28(3)(g)).
  10. Audit rights = controller may conduct on‑site or request certifications (Art. 28(3)(h)).

Keep these points handy, and you’ll be ready to ace the processor‑obligations portion of the CIPP/E exam!



ADVERTISEMENT