By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
CIPP/E – Processor Obligations & Data Processing Agreements (Art. 28 GDPR)
Art. 28 of the GDPR sets out the duties a processor must fulfil when handling personal data on behalf of a controller. The cornerstone is the Data Processing Agreement (DPA) – a written contract that spells out the scope, security, sub‑processing, and accountability rules. Without a compliant DPA, any EU‑personal‑data transfer (e.g., a German‑based SaaS provider sending employee payroll data to a U.S. payroll‑service) is illegal and can trigger €20 million or 4 % of global turnover fines.
Mistake: Using a generic “terms of service” instead of a formal DPA. Correction: A DPA must be a stand‑alone contract (or annex) that meets Art. 28’s specific clauses; a TOS does not satisfy the legal requirement.
Mistake: Assuming verbal instructions are sufficient because the processor “knows what to do.” Correction: All instructions must be documented in writing; auditors will look for the exact wording to confirm compliance.
Mistake: Forgetting to audit sub‑processors after the controller’s approval. Correction: Controllers retain the right to audit any sub‑processor; maintain a log of audit outcomes and remedial actions.
Mistake: Over‑looking the data return/deletion clause, leading to leftover copies after the contract ends. Correction: Include a clear deletion certificate requirement and verify it before closing the engagement.
Mistake: Treating a cloud provider as a “mere host” and omitting a DPA. Correction: Even pure storage services are processors if they store personal data on your behalf; a DPA is mandatory.
Scenario: A French e‑commerce site contracts a U.S. email‑marketing firm to send newsletters to EU customers. The contract only contains a “service level agreement.” Answer: Non‑compliant – a proper DPA with Art. 28 clauses (purpose, TOMs, sub‑processor consent, audit rights) is required.
Scenario: The controller discovers the processor has engaged a new analytics sub‑processor without prior approval. Answer: The controller can suspend the processing and demand remedial action because Art. 28(2)(b) mandates prior written consent for any sub‑processor.
Scenario: After a three‑year contract ends, the processor deletes the data but does not provide a deletion certificate. Answer: The controller should request a deletion certificate; without it, the processor may be in breach of Art. 28(3)(g).
Keep these points handy, and you’ll be ready to ace the processor‑obligations portion of the CIPP/E exam!
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.