GDPR processor: the compliance checklist

Host, managed services provider, SaaS vendor, BPO, agency: as soon as you process personal data on behalf of a client, you are a processor under the GDPR. Article 28 then imposes a precise contractual and operational baseline — one your European clients check ever more systematically. Here is how to turn it into control points.
Are you a processor? The one-question test
The question to ask: do you process personal data on behalf of, and on the instructions of, another organisation? If yes, you are a processor — whether you host a customer database, run outsourced payroll, handle files as a BPO or maintain a client's application. And you often wear both hats: controller for your own data (HR, prospecting, invoicing), processor for your clients' data.
An important point for providers outside the EU: even without being directly subject to the regulation, you inherit its obligations by contract as soon as your clients are subject to it. Article 28 forbids them from using a processor that does not offer "sufficient guarantees" — your compliance is therefore a condition of market access.
The Article 28 contract: what it must contain
No processing on behalf of a client without a written contract — the well-known DPA (data processing agreement). It sets the subject matter, duration, nature and purpose of the processing, the types of data and categories of data subjects, then eight processor commitments:
- process only on the controller's documented instructions, including for transfers outside the EU;
- ensure the confidentiality of the people authorised to process the data;
- implement the security measures of Article 32;
- engage a sub-processor only with prior written authorisation, passing the same obligations down;
- help the controller respond to data subject rights requests;
- assist with security, breach notification and impact assessments;
- delete or return the data at the end of the engagement;
- make compliance evidence available and allow audits, including inspections.
Day to day: records, security, breaches
The contract alone is not enough: Article 28 lives in operations. Three permanent workstreams. First, the record of categories of processing activities carried out for your clients (Article 30): client, nature of processing, any transfers, security measures. Second, demonstrable security: encryption, named access control, logging, tested backups — preferably immutable ones — without forgetting the underlying question of where your clients' data lives, covered in GDPR and hosting.
Finally, data breaches: you must notify your client "without undue delay" after becoming aware of one, because the client has 72 hours to notify the supervisory authority. Your detection speed therefore directly conditions its legal deadline: a written procedure, known to the on-call team and tested at least once a year, is not a luxury — it is the heart of the commitment.
Why your clients will audit you more
Every controller must prove it works only with processors offering sufficient guarantees: due-diligence questionnaires, audit clauses and annual reviews are becoming the norm — the same contractual mechanics NIS2 already imposes on suppliers of regulated entities, as we explain in NIS2: why your European client will ask for your DR plan. An evidence file ready to send turns this constraint into a commercial advantage: you become the processor that is easy to choose.
The Article 28 checklist
This checklist summarises typical obligations and is not legal advice: have your contracts and edge cases validated by specialist counsel — and to turn these requirements into infrastructure evidence, talk it through with a specialist.
| Control point | GDPR basis | You are ready if… |
|---|---|---|
| Signed data processing agreement | Art. 28(3) | Every processing for a client is covered by a complete written contract |
| Documented instructions | Art. 28(3)(a) | Instructions are archived; any out-of-contract request is flagged before execution |
| Staff confidentiality | Art. 28(3)(b) | Confidentiality commitments signed, regular team awareness |
| Security of processing | Art. 32 | Encryption, named access, logs, backups tested and restorable |
| Sub-processing | Art. 28(2), (4) | Up-to-date sub-processor list, prior authorisation, obligations flowed down |
| Assistance with data subject rights | Art. 28(3)(e) | Procedure and deadlines defined to relay each request to the client |
| Breach notification | Art. 33(2) | Detection, qualification and client alert without undue delay — it has 72 hours |
| Record of activities | Art. 30(2) | Record of categories of processing kept up to date, exportable on demand |
| End of contract | Art. 28(3)(g) | Deletion or return of the data, with supporting evidence |
| Audits and evidence | Art. 28(3)(h) | Compliance file ready to send, audit arrangements set out in the contract |
How SOVALYX can help
Many Article 28 requirements are proven at infrastructure level: SOVALYX operates a private cloud where access is logged, backups are tested and the subcontracting chain is reduced to a documentable minimum. 24/7 supervision under SLA detects and qualifies an incident fast enough for your client to meet its 72-hour deadline. And our private internal LLMs guarantee that no client data ever leaves for a public AI — a point audits now check.
Talk compliance with an engineer🧰 The companion tool: Processor: are you ready for your clients' questionnaires? — free · 2 minutes.
Reviewed and optimised by AI.