GDPR – Article 28: the watertight processor contract

Excerpt: In 2026, every DPO/CISO must bulletproof processor contracts. Here are the mandatory clauses, EDPB/CNPD guidance, and a practical supplier audit playbook, article by article.

The general rule

The GDPR requires that any processing carried out “on behalf of” a controller be governed by a written contract or other legal act, precisely defining the subject matter, duration, nature and purpose of processing, the types of data, the categories of data subjects, and the controller’s obligations and rights. These requirements are set out in Article 28, notably 28(1), 28(3) and 28(9). The text also provides for contractual “flow‑down” to any sub‑processor (28(4)) and the possibility to use standard clauses adopted by the Commission (28(7)). Official text: GDPR Article 28 on EUR‑Lex. (eur-lex.europa.eu)

The core of 28(3)(a) to (h) imposes minimum obligations on the processor: process only on documented instructions (including for transfers), ensure confidentiality, apply security measures aligned with Article 32, engage another processor only with authorization (specific or general), assist the controller in responding to data subject rights and conducting DPIAs, assist in case of a breach, delete/return data at end of contract, and submit to audits/demonstrations of compliance. See the full list in Article 28(3) GDPR. (eur-lex.europa.eu)

Since 4 June 2021, the Commission has adopted controller‑processor Standard Contractual Clauses (SCCs) for use within the EU/EEA: Implementing Decision (EU) 2021/915. They can be integrated into a broader agreement, provided Article 28(3) and (4) are not contradicted. (eur-lex.europa.eu)

To put these duties into local context, see the GDPR framework and its practical implementation in Luxembourg.

What regulators say

• CNPD (Luxembourg). The CNPD stresses that the contract must bind the parties, prohibit any processor’s own purposes, and may rely on Commission SCCs as “templates” provided Article 28(3) is respected. See “Sous‑traitants – Professionnels”: official page. (cnpd.public.lu)
• EDPB. Guidelines 07/2020 (final 2021, update 2022) clarify in particular: processors must refuse (or flag) unlawful instructions; “general authorization” for sub‑processors requires prior information and an effective right to object; audit rights must be concrete and practicable; certifications/codes may be evidence, not substitutes for audits. Reference: EDPB – Guidelines 07/2020. (edpb.europa.eu)
• European Commission. Beyond Article 28, Decision (EU) 2021/915 offers a balanced, up‑to‑date clause set aligned with the GDPR architecture and audit practice, including flow‑down to sub‑processors and remedies if the processor disappears/becomes insolvent. See the decision and annexes (SCCs): Publications Office. (op.europa.eu)

How to apply it in practice

1) Before processing (selection and due diligence)

• Map the exact roles (controller vs processor) under EDPB 07/2020; where “standard” SaaS imposes its own purposes (analytics, product improvement), re‑qualify as joint controllership for those operations or require contractual deactivation. Reference: EDPB 07/2020. (edpb.europa.eu)
• Verify “sufficient guarantees” (Art. 28(1)): security (ISO 27001/27018), data location, logging, encryption, access management, DR/BCP, testing; collect evidence and reports. A structured DPO mandate can operationalize these checks.
• Pre‑approve sub‑processors (cloud host, support) via specific or general authorization with prior information and a right to object (Art. 28(2)). Legal basis: GDPR Article 28. (eur-lex.europa.eu)

2) During contracting

• Include all 28(3)(a)–(h) clauses. A robust approach starts from 2021/915 SCCs (controller–processor module), then adds:
  • Documented instructions, including extra‑EU transfer policy (prohibited absent explicit instruction).
  • Confidentiality (NDA + security training).
  • Technical/organizational measures aligned with Art. 32 (detailed security annex).
  • Sub‑processing: registry, N‑day notice, right to object; 28(4) flow‑down.
  • Assistance for data subject rights (response timelines, channels, costs).
  • DPIA assistance and breach handling (internal notification SLA < 24h, minimum content).
  • Exit: deletion/return within X days, formats, deletion evidence.
  • Audit: reasonable audit rights (notice, scope, frequency), recognized third‑party audits, access to test summaries, for‑cause mechanism.
  Support: Decision (EU) 2021/915 – SCCs. (eur-lex.europa.eu)
• Require notification if an instruction appears unlawful per EDPB 07/2020; provide for an escalation process and limited suspension. Source: EDPB 07/2020. (edpb.europa.eu)
• Document written form (electronic accepted, Art. 28(9)): qualified e‑signature and evidence‑grade archiving. Legal basis: GDPR Article 28(9). (eur-lex.europa.eu)
• For EU/EEA actors: Article 28 SCCs cover the controller–processor intra‑EU link. If third‑country transfers are envisaged, add transfer SCCs 2021/914 and a TRA. See Decision (EU) 2021/914 and the Commission site. (eur-lex.europa.eu)

3) During performance

• Maintain the sub‑processor registry; notify changes and manage objections.
• Steer security/rights SLAs; test the internal 24h notification procedure; require periodic reports (vulnerabilities, incidents, data subject requests).
• Conduct proportionate audits (annual for critical services), leveraging independent audit reports but preserving a direct right to audit in case of serious doubt, per EDPB 07/2020. Ref.: EDPB 07/2020. (edpb.europa.eu)

4) At exit

• Implement reversibility: export in open formats, reasonable assistance, certified deletion at the processor and all sub‑processors (with evidence). Basis: Article 28(3)(g) and 2021/915 SCCs. (eur-lex.europa.eu)

Common pitfalls

1. “Audit‑light” or illusory audit clauses. Limiting audits to SOC 2 reports without any complementary access may breach 28(3)(h) if it does not allow demonstration of compliance. EDPB 07/2020 expects effective, proportionate audit rights. Source: EDPB 07/2020. (edpb.europa.eu)
2. General sub‑processor authorization with no objection mechanism. Article 28(2) requires prior information and a right to object; without it, the clause is incomplete. Text: GDPR Article 28. (eur-lex.europa.eu)
3. Role mixing. Some SaaS vendors claim “processor” status while also pursuing their own purposes (service improvement via customer data, usage profiling). For those purposes you shift to joint controllership (Art. 26) with a different contractual setup. See EDPB 07/2020 analysis on shared purposes. Ref.: EDPB 07/2020. (edpb.europa.eu)
4. Omission of the “unlawful instruction” clause. Without a reporting/suspension mechanism when an instruction appears contrary to the GDPR, you risk unlawful processing. The EDPB expects active vigilance from processors. Ref.: EDPB 07/2020. (edpb.europa.eu)
5. Confusing Article 28 SCCs with transfer SCCs. 2021/915 SCCs govern the controller‑processor link in the EU/EEA; for third‑country transfers you must also add 2021/914 SCCs (or another Article 46 mechanism). See Decisions: 2021/915 and 2021/914. (eur-lex.europa.eu)

Official sources

• GDPR – Article 28 (consolidated text, EUR‑Lex): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679 (eur-lex.europa.eu)
• EDPB – Guidelines 07/2020 (controller/processor): https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en
• European Commission – Implementing Decision (EU) 2021/915 (Article 28 SCCs): https://eur-lex.europa.eu/eli/dec_impl/2021/915/oj and Publications Office notice: https://op.europa.eu/en/publication-detail/-/publication/2b85eb9d-c72b-11eb-a925-01aa75ed71a1
• European Commission – Implementing Decision (EU) 2021/914 (transfer SCCs): https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj
• CNPD Luxembourg – “Sous‑traitants – Professionnels”: https://cnpd.public.lu/fr/professionnels/obligations/soustraitants.html

Final tip: As of May 2026, anticipate CNPD/EDPB audits by adopting a reusable “Article 28 kit”: responsibility matrix, living security annexes, sub‑processor register, and a risk‑based audit calendar, leveraging 2021/915 SCCs and EDPB guidance. To get started, feel free to contact us.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.