GDPR

GDPR Article 28: Processor Obligations Explained

When engaging processors, use only those providing sufficient guarantees and execute a Data Processing Agreement with required Article 28(3) clauses.

OFFICIAL REFERENCE (PARAPHRASED)

Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees... Processing by a processor shall be governed by a contract or other legal act under Union or Member State law. (GDPR Article 28)

Last reviewed: June 2026. Not legal or audit advice.

WHAT EVIDENCE SATISFIES THIS

✓ Executed DPAs with all processors
✓ Subprocessor inventory and notification process
✓ Processor due diligence assessments
✓ Published subprocessor list

Cross-framework overlap

This control requirement also appears in:

SOC 2 CC9.2 →

See this control in your personalized checklist

Start free →

See your readiness in 5 minutes

Answer a few questions and get a personalized, actionable checklist, free, no card.

Get your free checklist →