Module 3 · Vendor management and the Article 28 contract
Choosing a good processor is part of the controller's accountability - there is a pre-contractual due-diligence duty, and failing it leaves the controller ultimately liable. Article 28 requires a written data processing agreement (DPA) with set content and seven mandatory provisions. The SWIFT case shows what happens when a processor steps outside its role.
Selecting appropriate processors is part of the controller's accountability. There is a pre-contractual due-diligence obligation - questionnaires on policies, security measures, certifications and data-protection maturity. If the controller skips the due diligence, it is ultimately liable.
Article 28 requires a written contract - a data processing agreement (DPA) - stating the subject-matter, duration, nature and purpose of processing, types of personal data, categories of data subjects, and the parties' obligations.
| # | Mandatory provision |
|---|---|
| 1 | Processor ensures confidentiality of anyone accessing the data |
| 2 | Appropriate security measures are implemented |
| 3 | Sub-processors only with controller approval - a general written authorisation is allowed, with a mechanism for the controller to object to changes |
| 4 | Delete or return personal data at the end of processing (often a practical window, e.g. 60 days, to clear backups) |
| 5 | Assist the controller with data-subject rights |
| 6 | Demonstrate compliance with the contract |
| 7 | Submit to and contribute to audits and inspections (third-party audit certifications are often used) |
SWIFT positioned itself as a processor but, when served US Treasury subpoenas after 9/11, decided to transfer data itself - moving outside the scope of a processor (it should arguably have passed the request to the controller financial institutions). It shows the tension between EU data-protection duties and foreign legal orders.
Two related points: the neighbourhood-watch / John's camera example (home CCTV that also records neighbours and part of the street) tests the limits of the household exemption; and offshoring - if a processor transfers data internationally, an Article 46/49 transfer mechanism (adequacy, SCCs, BCRs, ad hoc contracts) must be used.