Privacy Program Third-Party Service Provider Management

A data processing agreement (DPA) is mandatory under Art.

28 GDPR whenever a third-party service provider processes personal data on behalf of a controller. Common scenarios include cloud hosting, email marketing platforms, payroll processing by external providers, or IT support with access to personal data. The DPA must specify the subject matter and duration of processing, the nature and purpose, the type of data, the categories of data subjects, and the rights and obligations of the controller. Non-compliance can result in fines of up to

10 million euros or

2 percent of annual global turnover.

Under Art. 28(1) GDPR, controllers may only engage processors that provide sufficient guarantees of appropriate technical and organizational measures. In practice, this means conducting documented assessments of the processor technical and organizational measures before contracting, obtaining evidence such as ISO 27001 certifications or SOC

2 reports, evaluating the data protection level of sub-processors, and regularly verifying that agreed measures are maintained throughout the contract term. This duty of care extends across the entire contractual relationship.

A data processor acts solely on the controller instructions and makes no independent decisions about the purposes and means of data processing. A joint controller under Art.

26 GDPR, by contrast, co-determines purposes and means alongside the other controller. The distinction matters because processing by a processor requires a DPA, while joint controllership requires a joint controller arrangement. For example, an external IT provider maintaining servers is typically a processor. A platform operator running its own analytics on user data is more likely a joint controller.

Vendor due diligence in a data protection context systematically evaluates a third party data protection maturity. It should cover: assessment of technical and organizational measures per Art.

32 GDPR, review of the data protection management system and internal policies, verification of certifications and external audit reports, analysis of data processing in third countries and appropriate safeguards, review of the sub-processor chain, and obtaining references regarding previous data protection incidents. ADVISORI conducts these assessments using standardized questionnaires and scoring matrices.

GDPR requires ongoing monitoring of data processors, not just a one-time assessment. Proven monitoring practices include annual reviews of technical and organizational measures through questionnaires or on-site audits, automated tracking of certification deadlines and compliance documents, an incident reporting system with defined response times, regular checks of the sub-processor list for changes, and KPI-based reporting on data protection performance. A centralized vendor management system helps maintain oversight across many service providers.

When a third-party processor handles data outside the EU or EEA, additional requirements under Art. 44–49 GDPR apply. Following the Schrems II ruling, standard contractual clauses (SCCs) alone are insufficient. A Transfer Impact Assessment (TIA) evaluating the legal framework in the third country is required. For US-based processors, the EU-US Data Privacy Framework may serve as a basis if the processor is certified. Additionally, supplementary technical measures such as encryption and pseudonymization should be assessed to ensure an adequate level of data protection.

ADVISORI supports the entire lifecycle of third-party data protection. We start by mapping all existing vendor relationships and assessing the current maturity level. Based on this, we develop a risk-based classification system, standardized DPA templates, and due diligence questionnaires. We implement monitoring processes with defined review cycles and escalation paths. In case of data protection incidents, we support with established incident response procedures. The goal is a scalable system that ensures GDPR compliance even as the number of service providers grows.