Vendor Assessments: Choosing a Processor

As you can imagine, complex data processing can require outsourcing certain tasks to specialized service providers. These entities, known as ‘processors,’ are then granted access to personal data for processing purposes. It is in this context that Article 28 of the GDPR establishes the legal framework for such collaborations. From the selection of processors (vendor assessment) to the creation of a contract (data processing agreement), ensuring the protection of data subject rights and overall compliance with the GDPR.

In this blogpost, we will look how to choose a processor and what agreement to put in place.

Before going any further, let’s first outline the roles of the two parties involved in a data processing agreement:

  • Controller: The controller is the natural or legal person who (alone, jointly or with other persons) determines the purpose(s) and the way any personal data is or will be processed.
  • Processor: The processor is the natural or legal person (other than an employee of the controller) who processes personal data on behalf of the controller.

How do vendor assessments play a role in choosing a processor?

As indicated above, when a controller partners with a processor, their collaboration is regulated by Article 28 of the GDPR. In this context, it’s crucial for the controller to be cautious when choosing or assessing a processor. Indeed, he should only choose processors with the capability to implement essential technical and organizational measures for GDPR compliance. In comes the vendor assessment.

Does the processor / vendor provide sufficient guarantees?

Now, when a controller is assessing a processor, in line with Recital 81 of the GDPR, he should consider different factors such as the processor’s knowledge, his reliability, and his resources.

To do so, it is advisable for a controller to review the processor’s privacy and security policies, terms of service, records of processing activities, as well as examining reports from external audits. Additionally, a controller could also verify if the processor possesses recognized international certifications, e.g the ISO 27000 series.

It’s worth noting that the processor’s reputation in the market can also play a crucial role in the evaluation!

As you can see, the selection of processors can be very time-consuming !

Pre-contractual due diligence

As part of the vendor assessment, a controller may request that a potential processor provides him with details such as:

  • A copy of its security & privacy policy.
  • Where applicable, information on international transfers of personal data.
  • A list of technical and organizational measures taken to ensure an appropriate level of protection of personal data.

Furthermore, in cases where the processing may pose a significant risk to the rights and freedoms of data subjects, it’s advisable for a controller to also request from the processor :

  • A copy of the report of the last audits or the execution of a new audit.
  • A copy of the Data Breach Registry – bear in mind that a controller should also do his own research to make sure the processor hasn’t been involved in a high-level data breach or cyber-attack!

Check out our blog

Mastering Vendor Risk Management

How to ensure a data processing agreement is valid?

If we now look at the actual processing agreement, Article 28 of the GDPR emphasizes the necessity of a contract or another legally binding act based on European or Member State law. Without surprise, the absence of such documentation would render the activity unlawful, potentially resulting in liability.

Furthermore, it’s crucial for the contract or legal act to be in written form, including electronic documentation. With that in mind, relying solely on non-written agreements would also fail to meet the requirements of Article 28.

For efficiency and compliance, we would advice controllers to draft their own data processing agreements whenever possible. However, if the processor already provides a template, the controller should verify its alignment with all the requirements in Article 28. If not, we would recommended for the controllers to negotiate until the proposed agreement achieves GDPR compliance—or to simply consider another processor.

Article 28 requirements

In any case, whether a controller relies on his own processing agreement or the processor template, the agreement should minimally contain the following clauses and information:

  • The subject matter, the duration, the nature, and purpose of the processing as well as the type of personal data and categories of data subject.

The agreement must also stipulate, as per Article 28, that the processor should:

  • Process personal data ONLY on documented instructions from the controller;
  • Ensure that the persons authorized to process the personal data have signed a confidentiality clause;
  • Implement appropriate technical and organizational measures according to Article 32 GDPR;


Article 32 is all about maintaining a suitable level of security that matches the risk involved. This includes the latest technology, the costs of putting measures in place, and the specific circumstances of the data processing, including the potential impact on individuals’ rights and freedoms. Knowing this, both the controller and the processor need to adopt the right technical and organizational measures !

Technical measures may include: Pseudonymization/encryption of personal data; Firewall, Anti-malware software(s), Backups, If necessary additional servers, Specific network infrastructure, etc.

Organizational measures could include: A register of processing activities, information security policy, access management, two-factor authentication, regular monitoring, minimized access to personal data, disaster recovery, etc.

Keep in mind that, when determining the right level of security, it’s important to factor in the risks associated with the processing. This includes potential accidental or unlawful events like destruction, loss, alteration, unauthorized disclosure, or access to personal data being transmitted, stored, or processed in any way.

  • Obtain prior specific or general authorization to use sub-processors or to change arrangements with existing sub-processors;​


If the processor has general written permission, he needs to inform the controller about any planned changes in bringing in or replacing sub-processors. This gives the controller the chance to raise any objections.

Furthermore, when a processor brings in sub-processors to handle specific tasks on behalf of the controller, these sub-processors must adhere to the same data protection obligations outlined in the contract between the controller and the processor.

Keep in mind that if a sub-processor falls short in meeting its data protection duties, the original processor remains fully responsible to the controller for the performance of that sub-processor !

  • Assist the controller by taking appropriate technical and organizational measures to enable the controller to fulfil its obligation to respond to requests to exercise the rights of the data subject;

Note :

Normally, the controller is the one in charge of overall GDPR compliance. However, he can delegate some tasks to the processor. So, when a controller gets a data access request from a data subject, he can either ask the processor to provide the requested personal data so he can handle the request directly, or he can instruct the processor to process the request on his behalf.

  • Assist the controller in ensuring compliance with obligations relating to data breaches;


It’s important to note that if there’s a personal data breach, the processor needs to quickly inform the controller. This allows the latter to notify the supervisory authority within 72 hours of learning about the breach. Keep in mind, if the breach is likely to pose a significant risk to the rights and freedoms of individuals, the controller should also inform the affected data subjects without unnecessary delay!

  • Assist the controller in carrying out DPIAs when required;
  • At the end of the processing, deletes or returns all personal data to the controller and deletes existing copies (unless European Union law or Member state law requires the retention of personal data);
  • Make available to the controller all information necessary to demonstrate compliance with the obligations set out in the GDPR and to enable and contribute to audits, including inspections.

Upgrade your privacy approach

Book a free demo with one of our experts today! Don’t worry, they won’t bite.

Assessing vendors outside of the EEA

From a privacy perspective, it’s highly recommended to opt for one or more vendors based in or handling personal data within the European Economic Area. Of course, as you can imagine, there could be situations where the EEA market doesn’t offer suitable alternatives, or processors outside the EEA providing superior services. In such cases, and after conducting pre-contractual due diligence, it’s crucial to evaluate the data protection standards in the countries where these processors operate.

So if a controller opts for a vendor outside the EEA, they should always consider Chapter V of the GDPR, which governs the transfer of personal data to third countries. If the destination country outside the EEA has an adequacy decision, data transfer may be permissible. However, if it is not the case, it’s important to implement safeguards such as Standard Contractual Clauses (SCC) to facilitate such transfers.

For a better grasp of the topic, you can check out the following links for information on adequacy decisions and Standard Contractual Clauses (SCC).

What happens if the processor / vendor goes beyond his instructions?

Without surprise, a processor can’t determine the purposes and means of processing.  Nevertheless, should he take over the processing, he would no longer be regarded as a processor, but – as per Article 28(10) the GDPR – as a controller.

 Consequently, the processor would no longer be exempt from accountability and would be subject to all the responsibilities outlined in the Regulation for controllers, including tasks like data breach notification and conducting a DPIA.

Post-contractual due dilligence

Ultimately, the commitment to only engage processors that offer ‘sufficient guarantees’ is an ongoing responsibility that extends beyond the contract’s completion and remains in effect throughout its duration. As such, a controller should verify the reliability of a processor through audits, review of documentation, and assessment of the associated risk level (LOW/MEDIUM/HIGH) based on the processor’s ability to ensure an adequate level of protection for personal data.

Keep in mind that the extent of monitoring can vary based on the level of risk associated with the processing activities of the vendor in case:

  • If the risk is LOW obtaining a copy of the different security documents may be sufficient.
  • If the risk is MEDIUM the controller could request an audit or on-site inspection.
  • If the risk is HIGH the controller may wish to request a periodic compliance assessment.


In sum, the assessment of a data processor’s expertise as well as a data processing agreement’s validity are a critical step in ensuring the security, compliance, and reliability of outsourced data processing activities.

Rigorous evaluation of the vendor’s technical capabilities, security measures, compliance with data protection requirements, and overall risk management are essential to establish a trusted and resilient controller-processor partnership. Ongoing monitoring and periodic reassessment further contribute to maintaining a robust framework, safeguarding data integrity, and upholding the trust of stakeholders.

Liked reading this article? Spread the word!

Get the inside scoop on simplified privacy management

Get exclusive tips ‘n tricks straight to your inbox. Join +1,100 privacy professionals already subscribed and stay ahead of the game!

Written by

Kevin François

Consultant @ CRANIUM


Copyright © RESPONSUM BV

ISO certification logo