GDPR Article 28 is one of the most practically important articles for any organisation that uses third-party services to process personal data — which is almost every company today. Yet many organisations still treat it as a box-ticking exercise: sign a DPA, file it, forget about it.
Data Protection Authorities across Europe are increasingly focused on whether controllers are actually conducting meaningful due diligence on their processors — not just collecting signed agreements. This guide explains what Article 28 actually requires, what a credible due diligence process looks like, and provides a practical checklist you can use immediately.
What Article 28 actually says
Article 28 establishes the controller's obligations when using a data processor. The core requirements most often missed are:
- Controllers must use only processors that provide "sufficient guarantees" to implement appropriate technical and organisational measures. This isn't satisfied by a signed DPA alone — you need evidence that the processor actually has adequate controls.
- Processing must be governed by a binding contract (the DPA) covering a specific list of requirements including subject matter, duration, nature, purpose, data categories, and the processor's obligations.
- Sub-processors require prior authorisation from the controller, either specific or general. If general, you must be notified of changes and have the right to object.
- Controllers have the right to audit processors or commission audits to verify compliance. This right must appear in the DPA.
The common misunderstanding: Article 28 doesn't just require a DPA — it requires that you use processors that are actually capable of meeting their obligations. A DPA signed by a processor with poor security controls doesn't satisfy Article 28. Controllers are expected to conduct due diligence, not just collect paperwork.
Who counts as a data processor?
Any supplier that processes personal data on your behalf — under your instructions, for your purposes — is a data processor. Common examples for mid-sized companies include:
- Cloud providers and SaaS platforms (HR systems, CRM, email marketing tools)
- Payroll processors and accounting software
- IT service providers and MSPs with access to employee or customer data
- Marketing agencies handling customer data
- Recruitment platforms processing candidate information
- Any supplier with access to your systems who could incidentally access personal data
If you're not sure whether a supplier is a processor or a controller in their own right, the test is: are they processing the data according to your instructions, or do they determine the purpose and means themselves? If it's your instructions, they're a processor.
The Article 28 due diligence checklist
For each data processor, your due diligence process should address the following areas:
1. Technical and organisational security measures
- Does the processor have documented information security policies?
- Is access to personal data controlled and limited to authorised personnel?
- Is data encrypted in transit and at rest?
- Does the processor conduct regular security testing (penetration tests, vulnerability scans)?
- Is there a documented process for handling security incidents?
- Does the processor have a business continuity and disaster recovery plan?
2. Sub-processor management
- Does the processor use sub-processors to handle your data?
- Do you have specific or general authorisation in place for sub-processors?
- Are sub-processors bound by equivalent data protection obligations?
- Is there a mechanism for the processor to notify you of sub-processor changes?
3. Data subject rights support
- Can the processor assist you in responding to data subject requests (access, erasure, portability)?
- Is there a defined process and SLA for this assistance?
4. Incident notification
- Does the processor have an obligation to notify you of personal data breaches without undue delay?
- Is the notification obligation explicitly in your DPA?
- Does "without undue delay" have a specific timeframe (e.g. 24 or 72 hours)?
5. Data deletion and return
- Is there a clear obligation to delete or return personal data at the end of the contract?
- Are retention periods and deletion timelines defined?
6. International transfers
- Does the processor (or their sub-processors) transfer data outside the EEA?
- If so, is an appropriate transfer mechanism in place (Standard Contractual Clauses, adequacy decision)?
7. Audit rights
- Does your DPA include a right to audit or inspect the processor?
- Does the processor provide audit reports, certifications, or other evidence of compliance (ISO 27001, SOC 2)?
Practical tip: For most mid-sized processors, direct audits are impractical. Acceptable alternatives include reviewing the processor's ISO 27001 certificate, SOC 2 Type II report, or asking them to complete a structured questionnaire covering the areas above. Document whichever approach you take.
What goes in a GDPR Article 28 DPA
Article 28(3) specifies the minimum contents of a data processing agreement. Your DPA must cover:
- The subject matter, duration, nature, and purpose of the processing
- The type of personal data and categories of data subjects
- The obligations and rights of the controller
- That the processor processes only on documented instructions from the controller
- Confidentiality obligations for persons authorised to process the data
- The security measures required under Article 32
- Sub-processor provisions (notification, equivalent obligations)
- Assistance with data subject rights
- Assistance with the controller's Article 32–36 obligations (security, DPIA, breach notification)
- Deletion or return of data at end of contract
- Providing all information necessary to demonstrate compliance and allowing audits
Many processors offer standard DPAs. Review them against this list — not all standard DPAs cover every requirement adequately, particularly around audit rights and sub-processor notification.
How often should you reassess processors?
Article 28 doesn't specify a frequency, but DPAs should be revisited whenever:
- The nature or scope of processing changes materially
- The processor notifies you of significant changes (sub-processors, security incidents, policy changes)
- There's been a significant breach or regulatory action involving the processor
- Your internal privacy review schedule triggers a reassessment (annually for critical processors is common practice)
Using Supplira for Article 28 assessments
Supplira includes a full GDPR Article 28 Processor Assessment template and a lighter-weight GDPR Article 28 Lite template for lower-risk processors. Both are structured around the checklist above and produce a scored result you can use to prioritise follow-up.
The assessment is sent directly to your supplier via a link — they fill it out, you review the responses, and any gaps become structured findings. Over time, the residual risk view shows you which processors represent ongoing concerns and whether things are improving.
For the DPA itself, Supplira provides a standard Data Processing Agreement that covers all Article 28(3) requirements. You can download it from our DPA page or request a customised version for your specific engagement.
Start your GDPR Article 28 assessments
Supplira includes full and lite GDPR Article 28 templates. Send your first assessment in minutes — free for up to 3 suppliers.
Get free access