WarDek is a complete compliance suite that combines an OWASP vulnerability scanner with NIS2, AI Act and GDPR compliance modules, specially designed for European SMEs.

Is my company subject to NIS2?

The NIS2 directive applies to essential and important entities in sectors such as energy, healthcare, transport, digital, etc. Use our free simulator to check.

How should I use WarDek reports in an audit?

WarDek reports provide a practical working base for your team, auditor, or compliance preparation. They are not an official certification or legal opinion.

How long does a scan take?

A complete OWASP scan typically takes between 2 and 5 minutes depending on the complexity of your website.

Absolutely. We never store your credentials. Reports are encrypted and you can delete them at any time. We are hosted in France.

Can I try before I buy?

Yes! The Free plan lets you test WarDek with 3 scans per month, no credit card required.

GDPR Data Processor Obligations: Article 28 Complete Guide

One of the most frequently misunderstood aspects of GDPR compliance is the distinction between data controllers and data processors — and what each party owes the other contractually. Article 28 of Regulation 2016/679 governs the relationship between controllers and processors and sets binding requirements for the written agreement that must exist between them. Understanding these obligations is essential whether you are a SaaS company acting as a processor for your clients, or a business relying on third-party vendors who touch your customers' personal data.

Controller vs Processor: The Core Distinction

The controller is the entity that determines the purposes and means of processing personal data. The processor is the entity that processes data on behalf of and under the instructions of the controller.

A few examples clarify the distinction in practice:

A retail company that uses an email marketing platform: the retail company is the controller (it decides to collect customer emails and send promotions), and the email marketing platform is the processor (it sends emails under the retailer's instructions).
A payroll software vendor processing employee salaries: the employer is the controller, the software vendor is the processor.
A cloud storage provider storing encrypted files: the provider is typically a processor for the files uploaded by its business customers.

Note that joint controllership (Article 26) arises when two or more parties jointly determine purposes and means. This is distinct from the controller-processor relationship and requires its own agreement.

The distinction matters because Article 28 imposes binding obligations on processors that cannot be contracted away. A processor that exceeds the controller's instructions and determines its own purposes becomes a controller itself — with all the associated liability.

Article 28 Mandatory Requirements

Article 28(3) specifies a list of subjects that must be addressed in any Data Processing Agreement (DPA). A DPA that omits these is legally deficient.

1. Process only on documented instructions The processor must process personal data only on documented instructions from the controller, including with regard to transfers to third countries, unless required to do so by Union or Member State law.

2. Confidentiality obligation Persons authorized to process the personal data must be subject to a contractual or statutory confidentiality obligation.

3. Technical and organizational security measures The processor must implement appropriate security measures under Article 32 — taking into account the state of the art, implementation costs, the nature, scope, context and purposes of processing, and the risks.

4. Sub-processing restrictions The processor must not engage another processor (sub-processor) without prior specific or general written authorization of the controller. If general authorization is used, the processor must inform the controller of intended changes and give the controller the opportunity to object.

5. Data subject rights support The processor must assist the controller in responding to data subject rights requests (access, rectification, erasure, restriction, portability, objection). The DPA must specify how this assistance will be provided.

6. Security incident assistance The processor must assist the controller in meeting its obligations under Articles 32–36, including breach notification obligations (72-hour window to supervisory authority), and data protection impact assessments (DPIAs).

7. Deletion or return at termination At the end of the provision of processing services, the processor must delete or return all personal data to the controller, unless Union or Member State law requires storage.

8. Audit rights The processor must make available all information necessary to demonstrate compliance and allow for and contribute to audits and inspections conducted by the controller or an auditor mandated by the controller.

Sub-Processors: A Chain of Accountability

Article 28(4) extends the processor's obligations to sub-processors. When a processor engages a sub-processor, it must impose the same data protection obligations as those set out in the DPA with the controller. The processor remains fully liable to the controller if the sub-processor fails to fulfill its obligations.

In practice, this means your DPA with a SaaS vendor should:

Specify whether general or specific authorization applies to sub-processors
Require advance notice (typically 30 days) for sub-processor changes
Provide for your right to object to new sub-processors
Require the vendor to flow down your DPA obligations to each sub-processor

Most major cloud vendors (AWS, Azure, GCP) and SaaS platforms (Salesforce, HubSpot) publish their sub-processor lists and DPA templates. These should be reviewed before contracting.

Schrems II and International Data Transfers

The Court of Justice of the EU's Schrems II ruling (Case C-311/18, 2020) invalidated the EU-US Privacy Shield and significantly complicated transfers of personal data to third countries, particularly the United States. Processors that transfer data outside the EEA must now rely on one of the following mechanisms:

Adequacy decisions (Regulation 2016/679, Article 45): The EU has recognized certain countries (UK, Japan, Canada for commercial organizations, etc.) as providing adequate protection. The EU-US Data Privacy Framework (adopted July 2023) currently provides an adequacy basis for transfers to US-certified organizations.
Standard Contractual Clauses (SCCs): The European Commission's 2021 SCCs replaced the old 2010 clauses and must be used for controller-to-processor transfers. Critically, Schrems II requires a Transfer Impact Assessment (TIA) alongside the SCCs to evaluate whether the legal framework of the destination country undermines the SCC protections.
Binding Corporate Rules (BCRs): For intragroup transfers within multinational organizations.
Derogations (Article 49): For specific situations including explicit consent, performance of a contract, or important reasons of public interest — not a basis for systematic transfers.

The DPA must document which transfer mechanism applies for each processor and sub-processor established outside the EEA. For US-based processors not certified under the EU-US DPF, SCCs plus a TIA remain the standard approach.

Standard Contractual Clauses: What to Include

The Commission's 2021 SCCs (Decision 2021/914) consist of four modules:

Module 1: Controller to Controller
Module 2: Controller to Processor
Module 3: Processor to Processor
Module 4: Processor to Controller

For most SaaS vendor relationships, Module 2 applies. The SCCs include mandatory clauses but also require parties to complete specific annexes: a description of the transfer, the technical and organizational measures, and the list of sub-processors.

Post-Schrems II, the TIA must assess the legislation and practices of the destination country, particularly surveillance laws and government access rights. For US transfers, this means reviewing the CLOUD Act, FISA Section 702, and EO 12333, and documenting why the SCCs provide effective protection in the specific context of the transfer.

Article 28 Compliance Checklist

Use this checklist when reviewing or drafting DPAs:

[ ] DPA is in writing (electronic acceptable)
[ ] Processor acts only on controller's documented instructions
[ ] Confidentiality obligations imposed on authorized persons
[ ] Article 32 security measures specified or referenced
[ ] Sub-processing requires prior written authorization
[ ] Controller notified before sub-processor changes with objection period
[ ] Processor assists with data subject rights requests
[ ] Processor assists with security incidents and breach notification
[ ] Data returned or deleted at contract termination
[ ] Audit rights granted to controller
[ ] Third-country transfer mechanism documented (SCC + TIA where applicable)
[ ] Sub-processor DPA obligations flow-down confirmed

How WarDek Supports Article 28 Compliance

Managing DPAs across multiple vendors is operationally complex. WarDek's vendor compliance module centralizes your processor inventory, tracks DPA status, monitors sub-processor change notifications, and alerts you when SCCs or adequacy decisions expire or change. Automated transfer impact assessment templates help you document Schrems II compliance for each international processor relationship.

See how WarDek manages processor compliance at scale.

Key Takeaways

Article 28 is the contractual backbone of controller-processor relationships under GDPR. Every processor relationship requires a written DPA covering eight mandatory subjects. Sub-processor chains must maintain the same obligations throughout. Post-Schrems II, international transfers require both the appropriate legal mechanism and a documented transfer impact assessment. Auditors and supervisory authorities verify DPA completeness as a baseline compliance check — do not treat it as a formality.

For related reading, see our guide on maintaining GDPR processing records under Article 30.