Under GDPR Article 28, organizations that share personal data with third-party vendors must ensure those vendors provide sufficient data protection guarantees — and must document those guarantees in a formal Data Processing Agreement (DPA). As the data controller, your organization remains legally responsible for how processors handle personal data. Your Secure Privacy DPO manages your vendor compliance framework from initial due diligence through ongoing monitoring and contract review.
Who Is This For?
Data Protection Officers and privacy managers responsible for third-party data processor compliance
Legal and procurement teams reviewing vendor contracts and Data Processing Agreements
IT and security teams assessing the data protection practices of software and service vendors
Organizations subject to GDPR that share personal data with third-party processors or subprocessors
Why GDPR Vendor Compliance Matters
When your organization shares personal data with third parties, you remain fully responsible for ensuring that data is protected in line with GDPR. Selecting a processor without adequate data protection guarantees — or without a compliant DPA in place — exposes your organization to regulatory enforcement action under GDPR Article 28, regardless of whether the breach originates with the vendor.
Third-Party Vendor Assessment Process
Your Secure Privacy DPO conducts vendor assessments through a structured five-stage process:
Vendor inventory: Maintain a complete register of all third parties with access to personal data, including subprocessors.
Risk classification: Categorize vendors by the type, sensitivity, and volume of personal data they process.
Due diligence: Assess each vendor's data protection practices, security certifications (e.g., ISO 27001, SOC 2), and compliance track record.
Contract review: Ensure all Data Processing Agreements contain the mandatory clauses required under GDPR Article 28(3).
Ongoing monitoring: Conduct regular vendor reassessments based on risk classification to maintain continuous compliance oversight.
GDPR Article 28(3) DPA Requirements: Required Clauses
Every Data Processing Agreement must satisfy the minimum content requirements set out in GDPR Article 28(3). Your DPO reviews all vendor DPAs to confirm the following clauses are present and enforceable:
Subject matter, duration, nature, and purpose of the processing
Type of personal data being processed and categories of data subjects affected
Obligations and rights of the data controller
Requirement to process data only on documented instructions from the controller
Confidentiality obligations for all persons authorized to process the data
Appropriate technical and organizational security measures under GDPR Article 32
Conditions and controls for engaging subprocessors
Assistance obligations for responding to data subject rights requests
Assistance with data breach notification and DPIA obligations
Deletion or return of all personal data upon contract termination
Audit rights for the controller and cooperation with supervisory authorities
Vendor Risk Categories and Review Frequency
Your DPO assigns each vendor a risk classification based on the nature and volume of data they process. Review frequency is determined by risk level:
Risk Level |
Criteria |
Review Frequency |
|---|---|---|
High |
Processes large volumes of personal or sensitive data; transfers data internationally |
Quarterly |
Medium |
Regular access to personal data as part of standard service delivery |
Semi-annually |
Low |
Limited or occasional access to personal data with minimal processing scope |
Annually |
International Data Transfers and GDPR Chapter V Compliance
When vendors process or transfer personal data outside the European Economic Area (EEA), additional compliance obligations apply under GDPR Chapter V. Your DPO ensures that all international data transfers by third-party vendors are covered by an appropriate transfer mechanism, including:
Standard Contractual Clauses (SCCs) — the most commonly used mechanism for transfers to third countries without an adequacy decision
Adequacy decisions — applicable where the European Commission has determined that the destination country provides an equivalent level of data protection
Other approved transfer mechanisms under GDPR Article 46, such as binding corporate rules or approved codes of conduct
Your DPO reviews transfer impact assessments where required and advises on supplementary measures when SCCs alone may not be sufficient to protect transferred data.
Frequently Asked Questions
What is a Data Processing Agreement and when is it required?
A Data Processing Agreement (DPA) is a legally binding contract between a data controller and a data processor, required under GDPR Article 28 whenever a third party processes personal data on your behalf. It must be in place before any processing begins and must contain all clauses specified in Article 28(3).
What is the difference between a data processor and a data controller under GDPR?
A data controller determines the purposes and means of processing personal data. A data processor processes personal data on behalf of the controller, following the controller's instructions. Under GDPR, controllers remain responsible for ensuring their processors comply with the regulation — including through a compliant DPA.
What happens if a vendor subcontracts processing to another party?
Under GDPR Article 28(2), processors must obtain prior written authorization from the controller before engaging subprocessors. Any subprocessor must be bound by the same data protection obligations as the primary processor. Your DPO reviews subprocessor arrangements as part of the vendor due diligence process.
Are Standard Contractual Clauses still valid for international data transfers after Schrems II?
Yes, but with additional requirements. Following the Court of Justice of the EU's Schrems II ruling, organizations must conduct a transfer impact assessment to verify that SCCs provide effective protection in the destination country. Where they do not, supplementary technical or contractual measures must be applied. Your DPO advises on this assessment for all relevant vendor transfers.