Data Privacy Laws and Regulations
Random


Click random to get a fresh chapter.

Certified Information Privacy Professional (CIPP): EU - Processor Obligations and Data Processing Agreements, Art. 28




CIPP/E – Processor Obligations & Data Processing Agreements (Art.?28 GDPR)

What This Is

Art.?28 of the GDPR sets out the duties a processor must fulfil when handling personal data on behalf of a controller. The cornerstone is the Data Processing Agreement (DPA) – a written contract that spells out the scope, security, sub?processing, and accountability rules. Without a compliant DPA, any EU?personal?data transfer (e.g., a German?based SaaS provider sending employee payroll data to a U.S. payroll?service) is illegal and can trigger €20?million or 4?% of global turnover fines.

Key Terms & Provisions

  • Processor: The natural or legal person that processes personal data on behalf of the controller (GDPR, Art.?4(8)). Example: A cloud?hosting company storing a retailer’s customer database.
  • Controller: The entity that determines the purposes and means of processing (GDPR, Art.?4(7)). Example: The retailer that decides which data to collect and why.
  • Data Processing Agreement (DPA): A written contract (or equivalent) required by Art.?28(3) that sets out the processor’s obligations, the controller’s instructions, and the technical?organizational measures (TOMs).
  • Written Form (including electronic): “Written” under Art.?28 includes e?mail, PDF, or any durable electronic format that can be reproduced (GDPR Recital?82).
  • Sub?processor: Any third?party engaged by the processor to carry out part of the processing. The processor must obtain prior written authorisation from the controller (Art.?28(2)(b)).
  • Technical & Organizational Measures (TOMs): Security safeguards (encryption, access controls, incident response) that must be appropriate to the risk (Art.?28(3)(c) & Art.?32).
  • Controller?Directed Instructions: The processor may only act on documented instructions from the controller (Art.?28(3)(a)). Verbal orders are insufficient for compliance audits.
  • Return or Deletion of Data: Upon contract termination, the processor must return or securely delete all personal data (Art.?28(3)(g)).
  • Audit & Inspection Rights: The controller may audit the processor’s compliance (e.g., on?site inspections, third?party certifications) (Art.?28(3)(h)).
  • Liability & Indemnity: The processor is jointly liable with the controller for breaches caused by its non?compliance (Art.?82 GDPR).
  • Cross?Border Transfer Clause: If the processor transfers data outside the EEA, the DPA must embed a valid transfer mechanism (e.g., SCCs, BCRs) (Art.?28(9)).
  • Record?Keeping (Art.?30): Processors must maintain a record of processing activities (ROPA) that includes categories of data, sub?processors, and security measures.

Step?by?Step / Process Flow

  1. Identify the Relationship – Confirm that the third?party is a processor (acts on your instructions) and not a joint controller.
  2. Draft / Review the DPA – Ensure it contains all Art.?28 mandatory clauses (purpose, duration, TOMs, sub?processor consent, audit rights, data return/deletion).
  3. Conduct a Risk?Based Security Review – Map the data flow, assess risks, and verify that the processor’s TOMs meet the risk?based approach (Art.?32).
  4. Obtain Controller Approval for Sub?processors – Document any sub?processor list; get written consent before they start processing.
  5. Implement Ongoing Monitoring – Schedule periodic audits, request SOC?2/ISO?27001 reports, and monitor breach notifications per Art.?33/34.
  6. Terminate & Securely Delete – When the contract ends, verify that the processor has either returned the data or performed a certified deletion, and obtain a deletion certificate.

Common Mistakes

  • Mistake: Using a generic “terms of service” instead of a formal DPA.
    Correction: A DPA must be a stand?alone contract (or annex) that meets Art.?28’s specific clauses; a TOS does not satisfy the legal requirement.

  • Mistake: Assuming verbal instructions are sufficient because the processor “knows what to do.”
    Correction: All instructions must be documented in writing; auditors will look for the exact wording to confirm compliance.

  • Mistake: Forgetting to audit sub?processors after the controller’s approval.
    Correction: Controllers retain the right to audit any sub?processor; maintain a log of audit outcomes and remedial actions.

  • Mistake: Over?looking the data return/deletion clause, leading to leftover copies after the contract ends.
    Correction: Include a clear deletion certificate requirement and verify it before closing the engagement.

  • Mistake: Treating a cloud provider as a “mere host” and omitting a DPA.
    Correction: Even pure storage services are processors if they store personal data on your behalf; a DPA is mandatory.

CIPP Exam Insights

  1. Controller vs. Processor Obligations – Exams love to ask which party must conduct a DPIA. Answer: The controller (unless the processor decides the means, which is rare).
  2. Art.?28 Sub?processor Consent – Remember that prior written authorisation is required; a “notice?only” clause is not enough.
  3. Written Form Requirement – The exam may present an e?mail DPA and ask if it satisfies Art.?28. Correct: Yes, electronic formats count as “written.”
  4. Cross?Border Transfer Link – Art.?28(9) ties the DPA to the transfer mechanism. If the processor uses SCCs, the DPA must reference them; otherwise the transfer is invalid.

Quick Check Questions

  1. Scenario: A French e?commerce site contracts a U.S. email?marketing firm to send newsletters to EU customers. The contract only contains a “service level agreement.”
    Answer: Non?compliant – a proper DPA with Art.?28 clauses (purpose, TOMs, sub?processor consent, audit rights) is required.

  2. Scenario: The controller discovers the processor has engaged a new analytics sub?processor without prior approval.
    Answer: The controller can suspend the processing and demand remedial action because Art.?28(2)(b) mandates prior written consent for any sub?processor.

  3. Scenario: After a three?year contract ends, the processor deletes the data but does not provide a deletion certificate.
    Answer: The controller should request a deletion certificate; without it, the processor may be in breach of Art.?28(3)(g).

Last?Minute Cram Sheet (10 One?Liners)

  1. Art.?28(3) – Mandatory DPA clauses – purpose, duration, TOMs, sub?processor consent, audit, deletion.
  2. “Written” includes e?mail, PDF, or any durable electronic format (Recital?82).
  3. Sub?processor = prior written authorisation (Art.?28(2)(b)).
  4. Processor liability = joint & several with controller (Art.?82).
  5. Cross?border transfer clause = must reference SCCs/BCRs (Art.?28(9)).
  6. TOMs must be “appropriate to the risk” – risk?based, not one?size?fits?all (Art.?32).
  7. Controller?directed instructions must be documented – verbal orders are insufficient.
  8. ROPA requirement for processors – record of processing activities (Art.?30).
  9. Termination clause = return or delete data + deletion certificate (Art.?28(3)(g)).
  10. Audit rights = controller may conduct on?site or request certifications (Art.?28(3)(h)).

Keep these points handy, and you’ll be ready to ace the processor?obligations portion of the CIPP/E exam!

 
If you liked Fatskills, consider supporting us by checking out The Life Manuals You Never Got.

🌈  Our mission is to help improve your scores in any subject and exam withonline quizzes, practice tests, study guides, & advice for students. Since 2018.
About | Explore | User Guide | Topics | Subjects | Doubt Solver | Career Aptitude Test | Answers | Free Tools | What Should We Know?
Privacy | Terms |
Without work one finishes nothing. - Ralph Waldo Emerson
© 2026 Fatskills.com

All trademarks, logos and brand names are the property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, trademarks and brands does not imply endorsement.