GDPR Article 28: when a vendor is a processor (AEPD SEUR/Citibox)

At a glance — On 8 June 2026, Spain’s AEPD closed, via voluntary payment, proceedings against SEUR GEOPost, S.L. and CITIBOX Smart Services, S.L. for lacking a GDPR Article 28‑compliant processing agreement in a smart‑locker delivery setup integrated with the carrier’s systems. The takeaway: contract wording (“independent controllers”) does not prevail; if one party processes on behalf of another, a robust DPA is mandatory.

The case

The AEPD found that the locker operator sent SMS notifications to recipients, handled parcel pick‑ups, and interfaced with the carrier’s systems under modalities set by the latter. Despite a services agreement labelling the parties as “separate controllers,” Citibox was in fact a processor for part of the operations, with no compliant processing agreement in place. Both companies acknowledged the qualification and made voluntary payment, closing PS‑00247‑2024 (Citibox) and PS‑00248‑2024 (SEUR). Official refs: AEPD summary (8 June 2026), PS‑00247‑2024, PS‑00248‑2024.

Key point — SEUR determines the purpose (“deliver the parcel”) and essential means (use of lockers and contact method). Citibox follows instructions in service of that purpose: this is a controller/processor relationship, thus an Article 28 contract is required. The AEPD also notes subsequent re‑uses by Citibox for its own purposes, momentarily switching its role to controller.

Legal reasoning

• Legal bases and roles. The controller defines purposes and essential means; the processor acts on the controller’s behalf. EDPB Guidelines 07/2020 require a material approach: qualify per purpose and per operation; contract labels are not decisive. Source: EDPB 07/2020.
• Article 28 contract. A DPA must cover scope/duration, nature/purpose, data and data subjects, instructions, confidentiality, security, onward sub‑processing, assistance with data subject rights and security/notifications, end‑of‑service data handling, unlawful instruction alerts, and audits. Text: GDPR Art. 28(1)–(10).
• AEPD’s application. A “functional mutation”: Citibox is a processor as long as it enables delivery under SEUR’s instructions; it becomes a controller when pursuing its own purposes. Twofold infringement: (i) no DPA despite technical integration and outsourcing, (ii) further processing without a proper legal basis. See the AEPD doctrine.
• EU convergence. This reading aligns with the EDPB: roles are dynamic and functional. Luxembourg’s CNPD reiterates Article 28 minimums and the option to rely on Commission standard clauses (Art. 28(7)–(8)). Refs: EDPB 07/2020, CNPD Chapter IV.

What this changes for organisations in Luxembourg

• Integrated ecosystems. When outsourcing “ops + app” components (lockers, KYC, managed cloud, embedded AI, last‑mile), assess who decides the purpose and essential means per operation. If that’s you, a DPA is required to ensure Luxembourg GDPR compliance. Otherwise, you face a formal breach even absent harm. See the AEPD.
• Hybrid contracts. A partner may be a processor for delivery but a controller for analytics/product improvement/own marketing. The DPA must strictly confine “on‑behalf” uses; any re‑use demands a separate basis (typically legitimate interests with a strong LIA, or consent) and clear notice. See PS‑00247‑2024.
• Due diligence and audits. Art. 28(3)(h) requires necessary information and audit rights. A generic, out‑of‑scope ISO/ISAE attestation is not enough. Prepare checklists on records, access logs, instruction traceability, tenant isolation, end‑of‑contract deletion, and sub‑processor management. Ref: GDPR Art. 28. A DPO mandate can steer DPA drafting and supplier oversight.
• CNPD practice. CNPD accepts Commission standard clauses as a baseline, provided all of Art. 28(3) is covered. Applies to Luxembourg‑established and EU providers. See CNPD Chapter IV.

Frequent pitfalls seen in audits

1. “Independent controllers” by clause. Labelling parties as separate controllers to avoid a DPA fails where the partner follows your instructions (delivery/notifications/support). Reality prevails. Refs: AEPD 08/06/2026 and EDPB 07/2020.
2. Vague “improvement” purposes. Re‑using phone numbers or delivery events to optimise networks or prospect without a separate basis and notice shifts the role to controller. See PS‑00247‑2024.
3. Incomplete DPAs. Missing concrete security measures, erasure/restore timelines, or assistance for rights. Art. 28(3) is prescriptive; an un‑annexed internal framework is insufficient. See EUR‑Lex and CNPD.
4. “Certification = audit”. Replacing audit rights with a generic, off‑scope ISO attestation conflicts with Art. 28(3)(h).
5. Uncontrolled sub‑processors. No prior written authorisation and no alignment with Art. 28(4). Text: Art. 28(2) and (4) of the GDPR.

Official sources

• AEPD — Legal criterion (8 June 2026)
• AEPD — PS‑00247‑2024 (Citibox)
• AEPD — PS‑00248‑2024 (SEUR)
• EDPB — Guidelines 07/2020
• GDPR (consolidated) — Article 28
• CNPD Luxembourg — Chapter IV

Want to align your DPAs and vendor audits in Luxembourg? Reach out via our contact page.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.