Deep DiveEU

EU GDPR Vendor Management

Article 28 compliance is a contract and operations discipline, not just a procurement checkbox.

Use the 2021 controller-processor clauses, sub-processor governance, breach-assistance rules, and transfer mapping to keep vendor reality aligned with the paper.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 21, 2026
Updated
Feb 21, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 21, 2026
Updated Feb 21, 2026
Overview

Vendor compliance fails when contracts say one thing and systems do another. The GDPR standard for processors is not just to sign a DPA. Controllers must use processors providing sufficient guarantees, the contract must contain the Article 28 elements, sub-processor use must be controlled, and the operational reality, security, incident escalation, remote access, transfer routes, retention, and deletion, has to match the contract pack. That is why vendor management under GDPR is a live control framework rather than a procurement document set.

Section 1

1) Role and service-model check before contract drafting

The first failure mode is role confusion. Some service providers act as processors for some tasks and independent controllers for others.

Map the service model before you negotiate clauses.

  • Identify the subject matter, duration, nature, and purpose of the processing.
  • Map data categories, data-subject categories, and whether the supplier determines any purposes or essential means itself.
  • Separate processor services from controller-controlled analytics, benchmarking, or service-improvement uses.
  • Tie the role map to procurement and security review so the contract follows the real service design.
Section 2

2) Article 28 clause set and the 2021 standard clauses

The contract needs the Article 28(3) and (4) elements, but many organisations still use stale or incomplete clause packs.

The Commission adopted standard controller-processor clauses on 4 June 2021 that can be used or incorporated in broader contracts.

  • Make sure the agreement covers instructions, confidentiality, security, assistance, deletion or return, audits, and sub-processor controls.
  • Where the Commission 2021/915 clauses are used, align the annexes with the actual service and data flow.
  • Remember that the Article 28 standard clauses are not the same thing as Chapter V transfer SCCs.
  • Keep one source of truth for signed DPA versions and annexes.
Section 3

3) Sub-processor governance and change control

Sub-processor management is often the point where the paper trail breaks. Article 28 requires prior specific or general written authorisation and meaningful change notice.

That needs more than a hidden webpage link.

  • Maintain the authorised sub-processor list and the notice period for changes.
  • Require the processor to impose equivalent obligations on each sub-processor.
  • Check how transfer routes change when new sub-processors or support regions are added.
  • Keep objection decisions and remediation actions in the vendor record.
Section 4

4) Ongoing monitoring: prove the processor still provides sufficient guarantees

Processor diligence does not end at signature. The controller must keep checking that the practical guarantees still exist.

This is where audit evidence, security evidence, and incident performance matter.

  • Refresh security evidence, certifications, penetration-test summaries, and incident history on a defined cadence.
  • Test breach-assistance and escalation performance, not just the contractual wording.
  • Map each processor to its transfer mechanism, cloud-region choices, and onward transfers.
  • Retire or renegotiate stale clauses, including any packs that still mention Privacy Shield or obsolete SCC models.
Recommended next step

Keep EU GDPR Vendor Management in one governed evidence system

SSOT can take EU GDPR Vendor Management from reusing this material inside a governed evidence system to a reusable workflow inside Sorena. Teams working on EU GDPR can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Evidence system
Open SSOT for EU GDPR Vendor Management

Start from EU GDPR Vendor Management and keep documents, evidence, and control records in one governed system.

Explore next step
Talk to Sorena
Talk through EU GDPR

Review your current process, evidence gaps, and next steps for EU GDPR Vendor Management.

Explore next step
Primary sources

References and citations

Related guides

Explore more topics

EU GDPR Checklist (Regulation (EU) 2016/679) | Audit-Ready Controls, Owners, Evidence, and Common Pitfalls
An audit-ready GDPR checklist: scope and role mapping, lawful basis and consent, transparency and notices, DSAR workflows, DPIA governance, security measures.
EU GDPR Compliance Guide | Build a Repeatable Program: Inventory, Controls, Evidence, and Operating Cadence
An execution-oriented GDPR compliance guide for Regulation (EU) 2016/679: program setup, governance, control design, evidence exports.
EU GDPR FAQ | Practical Answers: Scope, Consent, DSAR, DPIA, Breach (72h), Transfers/SCCs, Vendor Contracts
Frequently asked GDPR questions answered with practical implementation guidance: does GDPR apply (Article 3), what counts as personal data.
EU GDPR Requirements (Regulation (EU) 2016/679) | Obligations Map: Scope, Rights, Security, DPIA, Vendors, Transfers + Evidence Index
A practical GDPR requirements breakdown: scope (Articles 2-3), principles (Article 5), lawful basis (Article 6-7), transparency (Articles 12-14).
GDPR Applicability Test (Article 2-3) | Territorial Scope, Establishment vs Targeting, Roles, and Edge Cases
A practical GDPR applicability test for Regulation (EU) 2016/679: check material scope (Article 2), territorial scope (Article 3), establishment vs targeting.
GDPR Breach Notification (72 Hours) | Article 33-34 Workflow, Awareness Timestamp, Risk Test, and Evidence Pack
An execution-ready guide to GDPR breach notification built on Articles 33 and 34, the EDPB breach-notification guidelines.
GDPR Data Subject Rights + DSAR Workflow | Articles 12-22 Playbook: Intake, Identity, Search, Response, Exceptions, Evidence
A practical DSAR (data subject access request) playbook for GDPR Articles 12-22: build intake and identity verification, define system search scope.
GDPR Deadlines and Compliance Calendar | DSAR 1-Month SLA, Breach 72 Hours, DPIA Cadence, Vendor Reviews, Transfer Monitoring
A grounded GDPR compliance calendar that combines fixed legal milestones, 27 April 2016 adoption, 25 May 2018 application, the 2021 SCC overhaul.
GDPR DPIA (Article 35) + Risk Management | Triggers, Template, Controls, Residual Risk Sign-off, and Prior Consultation (Article 36)
A practical DPIA guide for GDPR Articles 35-36: how to screen for DPIA triggers, run a risk assessment focused on rights/freedoms.
GDPR International Transfers (Chapter V) + SCCs | Transfer Map, Adequacy, SCC Packs, TIA, Supplementary Measures, and Monitoring
A practical guide to GDPR international transfers (Chapter V): how to build a transfer map, choose mechanisms (adequacy vs SCCs).
GDPR Lawful Basis (Article 6) + Consent (Article 7) | How to Choose, Document, Implement, and Prove Compliance
A practical guide to GDPR lawful bases (Article 6) and consent (Article 7): how to select a lawful basis per purpose, when consent is appropriate vs risky.
GDPR Penalties and Fines | Articles 83-84 Explained + Risk Reduction Controls and Evidence
A practical penalties guide for GDPR enforcement: how administrative fines work under Articles 83-84, what factors drive exposure (purpose drift.
GDPR RoPA Template (Article 30) | Record of Processing Activities: Fields, Examples, and Evidence Tips
A practical Record of Processing Activities (RoPA) template for GDPR Article 30: controller and processor fields.
GDPR vs CCPA/CPRA | Key Differences in Scope, Rights, Legal Bases, and Operational Compliance (DSAR, Vendors, Transfers)
A practical comparison of GDPR (EU) and CCPA/CPRA (California): differences in applicability triggers, roles, legal bases versus sale/share models.
GDPR vs UK GDPR | Practical Differences for Scope, Enforcement, Transfers (EU SCCs vs UK IDTA/Addendum), and Evidence
A practical comparison of EU GDPR and UK GDPR: territorial scope triggers, regulator structure (one-stop-shop vs ICO), cross-border processing implications.