GDPR processor: the compliance checklist

· 4 min read · SOVALYX Technologies

SHARE

Host, managed services provider, SaaS vendor, BPO, agency: as soon as you process personal data on behalf of a client, you are a processor under the GDPR. Article 28 then imposes a precise contractual and operational baseline — one your European clients check ever more systematically. Here is how to turn it into control points.

Are you a processor? The one-question test

The question to ask: do you process personal data on behalf of, and on the instructions of, another organisation? If yes, you are a processor — whether you host a customer database, run outsourced payroll, handle files as a BPO or maintain a client's application. And you often wear both hats: controller for your own data (HR, prospecting, invoicing), processor for your clients' data.

An important point for providers outside the EU: even without being directly subject to the regulation, you inherit its obligations by contract as soon as your clients are subject to it. Article 28 forbids them from using a processor that does not offer "sufficient guarantees" — your compliance is therefore a condition of market access.

The Article 28 contract: what it must contain

No processing on behalf of a client without a written contract — the well-known DPA (data processing agreement). It sets the subject matter, duration, nature and purpose of the processing, the types of data and categories of data subjects, then eight processor commitments:

Day to day: records, security, breaches

The contract alone is not enough: Article 28 lives in operations. Three permanent workstreams. First, the record of categories of processing activities carried out for your clients (Article 30): client, nature of processing, any transfers, security measures. Second, demonstrable security: encryption, named access control, logging, tested backups — preferably immutable ones — without forgetting the underlying question of where your clients' data lives, covered in GDPR and hosting.

Finally, data breaches: you must notify your client "without undue delay" after becoming aware of one, because the client has 72 hours to notify the supervisory authority. Your detection speed therefore directly conditions its legal deadline: a written procedure, known to the on-call team and tested at least once a year, is not a luxury — it is the heart of the commitment.

Why your clients will audit you more

Every controller must prove it works only with processors offering sufficient guarantees: due-diligence questionnaires, audit clauses and annual reviews are becoming the norm — the same contractual mechanics NIS2 already imposes on suppliers of regulated entities, as we explain in NIS2: why your European client will ask for your DR plan. An evidence file ready to send turns this constraint into a commercial advantage: you become the processor that is easy to choose.

The Article 28 checklist

This checklist summarises typical obligations and is not legal advice: have your contracts and edge cases validated by specialist counsel — and to turn these requirements into infrastructure evidence, talk it through with a specialist.

Control pointGDPR basisYou are ready if…
Signed data processing agreementArt. 28(3)Every processing for a client is covered by a complete written contract
Documented instructionsArt. 28(3)(a)Instructions are archived; any out-of-contract request is flagged before execution
Staff confidentialityArt. 28(3)(b)Confidentiality commitments signed, regular team awareness
Security of processingArt. 32Encryption, named access, logs, backups tested and restorable
Sub-processingArt. 28(2), (4)Up-to-date sub-processor list, prior authorisation, obligations flowed down
Assistance with data subject rightsArt. 28(3)(e)Procedure and deadlines defined to relay each request to the client
Breach notificationArt. 33(2)Detection, qualification and client alert without undue delay — it has 72 hours
Record of activitiesArt. 30(2)Record of categories of processing kept up to date, exportable on demand
End of contractArt. 28(3)(g)Deletion or return of the data, with supporting evidence
Audits and evidenceArt. 28(3)(h)Compliance file ready to send, audit arrangements set out in the contract

How SOVALYX can help

Many Article 28 requirements are proven at infrastructure level: SOVALYX operates a private cloud where access is logged, backups are tested and the subcontracting chain is reduced to a documentable minimum. 24/7 supervision under SLA detects and qualifies an incident fast enough for your client to meet its 72-hour deadline. And our private internal LLMs guarantee that no client data ever leaves for a public AI — a point audits now check.

Talk compliance with an engineer

🧰 The companion tool: Processor: are you ready for your clients' questionnaires? — free · 2 minutes.

Reviewed and optimised by AI.