Certified Information Privacy Professional (CIPP): EU - Processor Obligations and Data Processing Agreements, Art. 28

CIPP/E – Processor Obligations & Data Processing Agreements (Art.?28 GDPR)

What This Is

Art.?28 of the GDPR sets out the duties a processor must fulfil when handling personal data on behalf of a controller. The cornerstone is the Data Processing Agreement (DPA) – a written contract that spells out the scope, security, sub?processing, and accountability rules. Without a compliant DPA, any EU?personal?data transfer (e.g., a German?based SaaS provider sending employee payroll data to a U.S. payroll?service) is illegal and can trigger €20?million or 4?% of global turnover fines.

Key Terms & Provisions

• Processor: The natural or legal person that processes personal data on behalf of the controller (GDPR, Art.?4(8)). Example: A cloud?hosting company storing a retailer’s customer database.
• Controller: The entity that determines the purposes and means of processing (GDPR, Art.?4(7)). Example: The retailer that decides which data to collect and why.
• Data Processing Agreement (DPA): A written contract (or equivalent) required by Art.?28(3) that sets out the processor’s obligations, the controller’s instructions, and the technical?organizational measures (TOMs).
• Written Form (including electronic): “Written” under Art.?28 includes e?mail, PDF, or any durable electronic format that can be reproduced (GDPR Recital?82).
• Sub?processor: Any third?party engaged by the processor to carry out part of the processing. The processor must obtain prior written authorisation from the controller (Art.?28(2)(b)).
• Technical & Organizational Measures (TOMs): Security safeguards (encryption, access controls, incident response) that must be appropriate to the risk (Art.?28(3)(c) & Art.?32).
• Controller?Directed Instructions: The processor may only act on documented instructions from the controller (Art.?28(3)(a)). Verbal orders are insufficient for compliance audits.
• Return or Deletion of Data: Upon contract termination, the processor must return or securely delete all personal data (Art.?28(3)(g)).
• Audit & Inspection Rights: The controller may audit the processor’s compliance (e.g., on?site inspections, third?party certifications) (Art.?28(3)(h)).
• Liability & Indemnity: The processor is jointly liable with the controller for breaches caused by its non?compliance (Art.?82 GDPR).
• Cross?Border Transfer Clause: If the processor transfers data outside the EEA, the DPA must embed a valid transfer mechanism (e.g., SCCs, BCRs) (Art.?28(9)).
• Record?Keeping (Art.?30): Processors must maintain a record of processing activities (ROPA) that includes categories of data, sub?processors, and security measures.

Step?by?Step / Process Flow

1. Identify the Relationship – Confirm that the third?party is a processor (acts on your instructions) and not a joint controller.
2. Draft / Review the DPA – Ensure it contains all Art.?28 mandatory clauses (purpose, duration, TOMs, sub?processor consent, audit rights, data return/deletion).
3. Conduct a Risk?Based Security Review – Map the data flow, assess risks, and verify that the processor’s TOMs meet the risk?based approach (Art.?32).
4. Obtain Controller Approval for Sub?processors – Document any sub?processor list; get written consent before they start processing.
5. Implement Ongoing Monitoring – Schedule periodic audits, request SOC?2/ISO?27001 reports, and monitor breach notifications per Art.?33/34.
6. Terminate & Securely Delete – When the contract ends, verify that the processor has either returned the data or performed a certified deletion, and obtain a deletion certificate.

Common Mistakes

• Mistake: Using a generic “terms of service” instead of a formal DPA.
  Correction: A DPA must be a stand?alone contract (or annex) that meets Art.?28’s specific clauses; a TOS does not satisfy the legal requirement.

• Mistake: Assuming verbal instructions are sufficient because the processor “knows what to do.”
  Correction: All instructions must be documented in writing; auditors will look for the exact wording to confirm compliance.

• Mistake: Forgetting to audit sub?processors after the controller’s approval.
  Correction: Controllers retain the right to audit any sub?processor; maintain a log of audit outcomes and remedial actions.

• Mistake: Over?looking the data return/deletion clause, leading to leftover copies after the contract ends.
  Correction: Include a clear deletion certificate requirement and verify it before closing the engagement.

• Mistake: Treating a cloud provider as a “mere host” and omitting a DPA.
  Correction: Even pure storage services are processors if they store personal data on your behalf; a DPA is mandatory.

CIPP Exam Insights

1. Controller vs. Processor Obligations – Exams love to ask which party must conduct a DPIA. Answer: The controller (unless the processor decides the means, which is rare).
2. Art.?28 Sub?processor Consent – Remember that prior written authorisation is required; a “notice?only” clause is not enough.
3. Written Form Requirement – The exam may present an e?mail DPA and ask if it satisfies Art.?28. Correct: Yes, electronic formats count as “written.”
4. Cross?Border Transfer Link – Art.?28(9) ties the DPA to the transfer mechanism. If the processor uses SCCs, the DPA must reference them; otherwise the transfer is invalid.

Quick Check Questions

1. Scenario: A French e?commerce site contracts a U.S. email?marketing firm to send newsletters to EU customers. The contract only contains a “service level agreement.”
   Answer: Non?compliant – a proper DPA with Art.?28 clauses (purpose, TOMs, sub?processor consent, audit rights) is required.

2. Scenario: The controller discovers the processor has engaged a new analytics sub?processor without prior approval.
   Answer: The controller can suspend the processing and demand remedial action because Art.?28(2)(b) mandates prior written consent for any sub?processor.

3. Scenario: After a three?year contract ends, the processor deletes the data but does not provide a deletion certificate.
   Answer: The controller should request a deletion certificate; without it, the processor may be in breach of Art.?28(3)(g).

Last?Minute Cram Sheet (10 One?Liners)

1. Art.?28(3) – Mandatory DPA clauses – purpose, duration, TOMs, sub?processor consent, audit, deletion.
2. “Written” includes e?mail, PDF, or any durable electronic format (Recital?82).
3. Sub?processor = prior written authorisation (Art.?28(2)(b)).
4. Processor liability = joint & several with controller (Art.?82).
5. Cross?border transfer clause = must reference SCCs/BCRs (Art.?28(9)).
6. TOMs must be “appropriate to the risk” – risk?based, not one?size?fits?all (Art.?32).
7. Controller?directed instructions must be documented – verbal orders are insufficient.
8. ROPA requirement for processors – record of processing activities (Art.?30).
9. Termination clause = return or delete data + deletion certificate (Art.?28(3)(g)).
10. Audit rights = controller may conduct on?site or request certifications (Art.?28(3)(h)).

Keep these points handy, and you’ll be ready to ace the processor?obligations portion of the CIPP/E exam!